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(54) ENCRYPTED DATA DELIVERY SYSTEM 



(57) Technology for suppressing the data volume of 
a TRL (terminal revocation list), which is information 
specifying terminals to be invalidated, in a system struc- 
tured from a plurality of terminals, a distribution device 
for acquiring the TRL and distributing data to only those 
terminals that are not to be invalidated, and a manage- 
ment device for generating the TRL. This object is real- 
ized by a system structured from a management device, 
a content key distribution device and a plurality of ter- 
minals. The management device generates and trans- 
mits a TRL formed from data that expresses terminal 



IDs of all terminals to be invalidated (i.e. terminals 
whose IDs have a common bit string), by only a value 
and a position of the common bit string in the IDs, to the 
content key distribution device. Each terminal holds a 
terminal ID that includes a manufacturer ID. a serial 
number and the like, and requests the distribution of a 
content key by sending the terminal ID to the content 
key distribution device. The content key distribution de- 
vice refers to the TRL, judges whether the terminal ID 
transmitted from the terminal is that of an invalidated 
terminal, and if negative, encrypts and transmits the 
content key to the terminal. 
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Description 
TECHNICAL FIELD 

[0001] The present invention relates to encryption s 
communications systems, and in particular to an en- 
cryption communications system that includes an en- 
cryption communications device that does not accept 
requests from some of a plurality of terminals, and ac- 
cepts requests from and transmits encrypted data to the 
other terminals. 

BACKGROUND ART 

[0002] In recent years there has been extensive de- 
velopment of systems for conducting electronic busi- 
ness transactions and the like using the Internet. 
[0003] Encryption technology is used in data commu- 
nications conducted as part of electronic business trans- 
actions and the like. For example, public key encryption 
related encryption communications systems are often 
used for authenticating another communications party, 
and secret key encryption related encryption communi- 
cations systems are often used for distributing data 
safely. Encryption technology relating to public key and 
secret key encryption systems is described in detail in 
Contemporary Encryption T/ieo/y (Nobuichi Ikeno, Ken- 
ji Koyama, Institute of Electrical and Electronic Engi- 
neers, 1986) 

[0004] In relation to public key encryption related en- 
cryption communications systems, generally a public 
key certificate, issued by an organ known as the authen-. 
tication bureau and for verifying the correspondence be- 
tween a public key and the whoever or whatever has 
possession of the public key, is sent attached to the pub- 
lic key. The public key certificate is basically public in- 
formation that does not need to be handled secretly. A 
secret key paired with a public key. however, needs to 
be managed secretly. 

[0005] Normally, a public key certificate has a valid 
period, although if as the result of an accident or incident 
a secret key paired with a public key either has been or 
has possibly been disclosed, the public key certificate 
needs to be invalidated, even if still within the valid pe- 
riod. 

[0006] As a method of invalidating a public key certif- 
icate, a method involving the public release of a certifi- 
cate revocation list (CRL) is shown in Secure Electronic 
Commerce: Building the Infrastructure for Digital Signa- 
tures and Encryption (Warwick Ford, Michael S. Baum, 
Prentice Hall, 1 997). A CRL includes the serial numbers 
of all public key certificates to be invalidated, and a 
mechanism can be constructed that, using a CRL, in- 
validates and makes unusable public key certificates 
having serial numbers included in the CRL. 
[0007] Also, in the case of a distribution service in 
which a distribution device distributes keys for decrypt- 
ing digital content (hereafter "content keys") in response 



to requests from a large number of terminals that re- 
ceive/playback digital content and which are required to 
appropriately use video and other digital content en- 
crypted for reasons of copyright protection and the like, 
the distribution of content keys should, in view of copy- 
right protection and the like, be carried out only with re- 
spect to appropriate terminals. 

[0008] In this distribution service, it is imagined that a 
distribution system or the like be used in which terminals 
each have a unique secret key, and a distribution device 
for distributing keys receives, from a terminal, notifica- 
tion of a terminal identifier (terminal ID) unique to the 
terminal, together with a content key distribution re- 
quest, performs on a content key an encryption that is 
only possible using the secret key unique to the terminal, 
and transmits the encrypted content key to the terminal. 
[0009] In this case, if ascertained that a problem ex- 
ists with a secret key packaging method in a terminal 
manufactured by a certain manufacturer, it will be nec- 
essary to stop distribution of content keys to all terminals 
produced by this manufacturer. 

[0010] Furthermore, in relation to a mechanism that, 
for example, prevents the copying of digital content in a 
terminal, it will be necessary to stop distribution of con- 
tent keys to all terminals produced by a certain manu- 
facturer if a method for neutralizing this mechanism in 
terminals manufactured by the manufacturer is dis- 
closed. 

[001 1] In other words, it will sometimes be necessary 
to stop the distribution of content keys to terminals that 
have been corrupted. 

[001 2] As a method of responding to this requirement, 
a distribution device in a distribution service can be 
structured to receive a terminal ID together with a con- 
tent key distribution request from a terminal, to use a 
"terminal revocation list" (TRL). being a variant of the 
above CRL in which, instead of the serial numbers of 
public key certificates, the terminal IDs relating to all ter- 
minals to be invalidated are included, to distribute keys 
in response to a distribution request only when the re- 
ceived terminal ID is not included in the TRL, and to not 
respond to a distribution request if the terminal ID is in- 
cluded in the TRL. 

[0013] According to the above method, however, a 
data size of the TRL when a large number of terminals 
require invalidating is enormous, since the terminal IDs 
of all of these terminals are included. 
[0014] As an example, if 40 terminals are targeted by 
the distribution service, each terminal ID is a piece of 
fixed length data of 4 bytes or more, and 1% of these 
terminals require invalidating, the data size of the TRL 
will be at least 160 megabytes. 
[0015] For this reason, in is feared that a distribution 
service in which, in order to handle a large number of 
terminals, (i) a large number of distribution devices for 
distributing content keys are provided and dispersed 
throughout various regions or the like, (ii) a TRL is gen- 
erated in a single management device and sent, after 
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having a digital signature included therein, to the distri- 
bution devices via a public communications network or 
the like, and (iii) each distribution device judges, based 
on the TRL, whether distribution of a content key to a 
terminal is permissible, will not prove practical because 5 
of either the voluminous communication data or the vo- 
luminous data that the distribution devices are required 
to hold. 

[0016] For example, if a TRL is sent out every time 
there Is an increase in the number of terminals to be 
invalidated, communication bottlenecks are likely to oc- 
cur due to the large volume of communication data. 
Moreover, if a distribution device is structured to request 
a new TRL from a management device when a distribu- 
tion request is received from a terminal together with a 
terminal ID, and, after receiving the TRL, to collate the 
received terminal ID based on the TRL, the response by 
the distribution device to the request from the terminal 
will be delayed as a result of the length of time required 
in the reception of the TRL. 

DISCLOSURE OF THE INVENTION 

[0017] In view of the above issue, an object of the 
present invention is to provide an encryption communi- 
cations system that conducts a service relating to en- 
cryption communication, such as encrypting a content 
key and only distributing the encrypted content key to 
appropriate terminals (i.e. excluding those terminals to 
be invalidated) based on a TRL. and that suppresses 
the data size of the TRL and improves practicability. 
[0018] A further object of the present invention is to 
provide various technologies that contribute to the con- 
struction of the above encryption communications sys- 
tem. 

[001 9] An encryption communications system provid- 
ed to achieve the above object includes an encryption 
communications device, a plurality of terminals that are 
each operable to transmit to the encryption communi- 
cations device an identifier, which is a bit string having 
a predetermined number of bits for identifying the termi- 
nal, and a management device that generates invalidat- 
ed-terminal information showing one or more of the 
identifiers as information specifying one or more termi- 
nals to be invalidated. The management device has an 
invalidated-terminal information generation unit opera- 
ble to generate the invalidated-terminal information us- 
ing a data format that generically expresses, by infor- 
mation specifying a value of a section in a bit string hav- 
ing the predetermined number of bits, all identifiers in 
which a value of the section matches the specified val- 
ue; and an output unit operable to output the generated 
invalidated-terminal information. The encryption com- 
munications device has an invalidated-terminal informa- 
tion acquisition unit operable to acquire the invalidated- 
terminal information outputted by the management de- 
vice; an identifier receiving unit operable, when an iden- 
tifier is transmitted from one of the terminals, to receive 



the identifier; a judging unit operable to judge whether 
the received identifier matches any of the one or more 
identifiers shown by the invalidated-terminal information 
as information specifying one or more terminals to be 
invalidated; and a communication unit operable (i) when 
judged to not be any matches, to conduct a predeter- 
mined communication with the terminal that transmitted 
the identifier, by performing an encryption unique to the 
terminal, and (ii) when judged to be a match, to not con- 
duct the predetennined communication with the termi- 
nal. 

[0020] Here, the encryption communications device 
is, for example, a content key distribution device as 
shown in embodiments 1 to 3. the predetermined com- 
munication is, for example, the transmission of an en- 
crypted content key, and the invalidated-terminal infor- 
mation is, for example, a TRL ("terminal revocation list") 
as shown in embodiments 1 to 3. 
[0021] According to the present invention, all terminal 
IDs that include a certain bit string are expressed gener- 
ically by information specifying a value of and a position 
in a common bit string included in these terminal IDs, 
and thus it is possible to comparatively suppress the 
size of the TRL data volume, and as a result, realize a 
practical encryption communications system that con- 
ducts a service related to encryption communication, 
such as encrypting a content key and only distributing 
the encrypted content key to appropriate terminals (i.e. 
excluding those temiinals to be invalidated) based on a 
TRL. 

[0022] Furthermore, the invalidated-terminal informa- 
tion (i) may include one or more sets of corresponded 
value and position information, each piece of value in- 
formation showing a value of a section of a bit string 
having the predetermined number of bits, and a corre- 
sponding piece of position infomiation being for speci- 
fying a bit position of the section in the bit string, and (ii) 
may be infomiation specifying, as a terminal to be inval- 
idated, all terminals identified respectively by all identi- 
fiers in which a value of a partial bit string located in a 
bit position specified by a piece of position information 
matches a value shown by a piece of value information 
corresponding to the piece of position information, and 
the judging unit may (i) verify, for each piece of position 
information, whether a value, in the received identifier, 
of a partial bit string located in a bit position specified by 
the piece of position information matches a value shown 
by a piece of value information corresponding to the 
piece of position information, and (ii) judge, when veri- 
fied that there is at least one match, that the received 
identifier matches an identifier shown by the invalidated- 
terminal information. 

[0023] According to this structure, because the inval- 
idated-terminal information is structured in a format that 
corresponds a value and a position of a section of a ter- 
minal ID, a value of an arbitrary bit string range can ex- 
press all of the common terminal IDs by information 
formed from value/position sets, without having to fixed- 



15 



20 



25 



30 



35 



40 



45 



50 



5 



EP 1414 183 A1 



6 



ly determine a position of the section by an operational 
rule or the like, and thus If effectively operated. It is pos- 
sible to express a large number of invalidated terminals 
by a small Information volume. 

[0024] Furthermore, the invalidated-terminal Informa- 5 
tlon (i) may include one or more sets of corresponded 
representative information and mask flags, each piece 
of representative information being a bit string having 
the predetermined number of bits, and a corresponding 
mask flag having the predetermined number of bits, and 
(li) may be Information specifying, as a terminal to be 
Invalidated, all terminals identified by identifiers in which 
a value of a section having a bit value of "1" in a mask 
flag matches a value of the section in a piece of repre- 
sentative information corresponding to the mask flag, 
and the judging unit may (1) verify, for each mask flag, 
whether an AND of the mask flag and the received iden- 
tifier matches an AND of the mask flag and a piece of 
representative information corresponding to the mask 
flag, and (li) judge, when verified that there is at least 
one match; that the received identifier matches an iden- 
tifier shown by the invalidated-terminal information. 
[0025] According to this structure, in a format that ex- 
presses a large number of terminal IDs by sets which 
each comprise a value of a section in a terminal ID and 
a bit position of the section, a bit position structuring the 
section is shown by a position having a mask flag value 
set to "1". and a bit position not structuring the section 
is shown by a position having a mask flag value set to 
"0". Consequently, it is possible to extract, out of a ter- 
minal ID received from a terminal, a section to be col- 
lated with a value included in the invalidated-terminal 
information, by an easy calculation having a small 
number of computations that involves performing an 
AND (i.e. logical product) operation on the received ter- 
minal ID and a mask flag. This helps to speed up the 
judgments conducted in the encryption communications 
device. 

[0026] Furthermore, the invalidated-terminal informa- 
tion generation unit may generate isolated-value infor- 
mation for including in the invalidated-terminal informa- 
tion, each piece of isolated-value information having the 
predetermined number of bits, the invalidated-terminal 
Information may be information further specifying, as a 
terminal to be invalidated, terminals Identified by identi- 
fiers that match a piece of Isolated-value information, 
and the judging unit may further judge, when the re- 
ceived identifier matches a piece of isolated-value infor- 
mation, that the received identifier matches an identifier 
shown by the invalidated-terminal information. 
(0027] Here, isolated-value information is, for exam- 
ple, discrete information as shown in Fig. 8. According 
to this structure, when a terminal ID of an Invalidated 
temninal does not have a common bit with a terminal ID 
of other invalidated terminals (i.e. when a terminal ID is 
discrete), the discrete terminal ID is included in the in- 
validated-terminal information as isolated-value infor- 
mation, and thus, when there are a large number of in- 



validated terminals having discrete terminal IDs, it is 
possible to structure the invalidated-terminal informa- 
tion with a smaller amount of data than when a format 
is used that expresses the discrete IDs by sets which 
each consist of a value of a discrete terminal ID and a 
mask flag in which all the bits are "1". 
[0028] Furthermore, the invalidated-terminal informa- 
tion (i) may include one or more sets of corresponded 
significant-digit and value information, each piece of sig- 
nificant-digit information showing a number of bit digits, 
and a corresponding piece of value information showing 
a value of a bit string having the number of bit digits, and 
(ii) may be information specifying, as a terminal to be 
invalidated, all terminals identified by identifiers in which 
a value of a bit string having, from a most significant bit, 
a number of bit digits shown by a piece of significant- 
digit information matches a value shown by a piece of 
value information corresponding to the piece of signifi- 
cant-digit Information, and the judging unit may (i) verify, 
for each piece of significant-digit information, whether, 
in the received identifier, a value of a bit string having, 
from a most significant bit, a number of bit digits shown 
by the piece of significant-digit information matches a 
value shown by a piece of value information correspond- 
ing to the piece of significant-digit information, and (ii) 
judge, when verified that there is at least one match, that 
the received Identifier matches an identifier shown by 
the invalidated-terminal information. 
[0029] According to this structure, it is possible to ex- 
press all terminal IDs having a common value for only 
an arbitrary number of bits from a most significant bit in 
the terminal IDs, by value information and significant 
digit information that shows the arbitrary number of bits. 
Generally, in the management of terminal IDs, informa- 
tion distinguishing a collection of Identifiers or the like of 
manufacturers that manufacture terminals, or common 
qualities in terms of structure, function and the like of 
terminals, is often positioned in the high order bits of a 
terminal ID. In this way, it is possible to structure the in- 
validated-terminal information by data of a comparative- 
ly small volume, when there are a large number of ter- 
minals to be invalidated in relation to a specific manu- 
facturer, product structure, or the like. 
[0030] Furthermore, the management device may 
have an identifier acquisition unit operable to acquire 
the Identifiers of all terminals to be invalidated, and the 
invalidated-terminal information generation unit may (i) 
specify one or more X values satisfying a condition that, 
out of the identifiers acquired by the identifier acquisition 
unit, the number of identifiers which have matching X 
number of bits from a most significant bit is 2(^-^, and 
(li) generate the invalidated-terminal information using 
a data format that generically expresses, for each X val- 
ue, the 2i^-^ identifiers by significant-digit information 
showing the X number of bit digits, and by value infor- 
mation showing a value of a bit string of X bits from the 
most significant bit in the 2(^'^ identifiers, where N is 
the predetermined number of bits. 
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[0031] According to this structure, it is possible to con- 
struct invalidated-temninal infonmation that suppresses 
data volume, without placing an unnecessary operation- 
al burden on an operator or the like of a management 
device. 5 
[0032] Furthermore, each terminal may be manufac- 
tured by one of a plurality of manufacturers, and an iden- 
tifier identifying the terminal may show the manufacturer 
of the terminal by a bit string having a predetermined 
number of bits from a most significant bit in the identifier. 
[0033] According to this structure, it is possible to ex- 
press, by sets of low-volume information, all terminal IDs 
having a constant number of bits from a most significant 
bit that are common, and information showing a manu- 
facturer is included in the high order bits of the terminal 
IDs. Thus, it is possible to effectively suppress the data 
volume of the invalidated-terminal information, when as- 
certained that a structural problem (e.g. user is able to 
freely duplicate content by executing a certain proce- 
dure) exists with a terminal from a specific manufacturer. 
[0034] Furthermore, the identifier identifying the ter- 
minal may show a product type to which the terminal 
belongs, by a bit string having a predetermined number 
of bits that starts from an end of the bit string showing 
the manufacturer. 

[0035] According to this structure, when ascertained 
that a problem exist only with a certain product manu- 
factured by a specific manufacturer, it is possible to sup- 
press the data volume of the required invalidated-termi- 
nal information, since all terminals in which the product 
is mounted are determined as invalidated terminals. 
[0036] Furthermore, each terminal may hold a de- 
cryption key unique to the terminal, and may be further 
operable to internally store encrypted content, which is 
content encrypted by a content key, the output unit may 
conduct the output by transmitting the invalidated-termi- 
nal information to the encryption communications de- 
vice, the encryption communications device may have 
an encryption key storage unit operable to store encryp- 
tion keys that correlate one-to-one with the decryption 
keys of all of the terminals, and a content key storage 
unit operable to store the content key, the invalidated- 
terminal information acquisition unit may conduct the 
acquisition by receiving the invalidated-terminal infor- 
mation transmitted by the output unit, the communica- 
tion unit, when judged by the judging unit that the re- 
ceived identifier does not match any of the identifiers 
shown by the invalidated-terminal information, may en- 
crypt the content key using an encryption key that cor- 
relates with the decryption key unique to the terminal 
which transmitted the identifier, and transmit the en- 
crypted content key to the terminal, and each terminal 
may have a decrypting unit operable to decrypt the en- 
crypted content key transmitted from the encryption 
communications device, using the decryption key 
unique to the terminal, and a playback unit operable, 
when the encrypted content is stored in the terminal, to 
decrypt the encrypted content using the decrypted con- 
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tent key, and to playback the decrypted content. 
[0037] According to this structure, when a system is 
realized in which consideration is given to copyright pro- 
tection and the like, by restricting playback of content to 
when a terminal acquires an encrypted content key from 
an encryption communications device, it is possible, if 
ascertained that copyright protection is no longer pos- 
sible for a group of terminals from a certain manufactur- 
er, to suppress the volume of data that has to be sent 
from a management device to the encryption communi* 
cations device, and to shorten the transmission time of 
the data, since information for identifying the group of 
terminals to be invalidated can be constituted by low- 
volume data consisting of a number of bit digits showing 
a section of a terminal ID from a most significant bit to 
a part indicating a manufacturer ID. and the manufac- 
turer ID. 

[0038] Furthermore, the invalidated-terminal informa- 
tion (i) may include one or more pieces of generic and 
exception information, each piece of generic information 
specifying both a section in a bit string having the pre- 
determined number of bits and a value of the section, 
and each piece of exception information having the pre- 
determined number of bits, and (ii) may be information 
specifying, as a terminal to be invalidated, all terminals 
identified by identifiers in which a section specified by a 
piece of generic information matches a value specified 
by the piece of generic information, and which do not 
match a piece of exception information, and the judging 
unit may (i) verify whether a section, in the received 
identifier, specified by a piece of generic information 
matches a value specified by the piece of generic infor- 
mation, and (ii) judge, when verified that there is a 
match, that the received identifier matches an identifier 
shown by the invalidated-terminal information, except 
when the received identifier matches a piece of excep- 
tion information. 

[0039] According to this structure, by employing ex- 
ception information, it is sometimes possible to specify 
the terminal IDs of all invalidated terminals by a lower 
data volume, than when specifying terminal IDs of inval- 
idated terminals using only generic information. Consid- 
er an example in which there are 15 invalidated termi- 
nals, and the terminal IDs of these terminals all have 
common bit string values except for the low order 4 bits. 
Hypothetically it would be possible to construct invali- 
dated-terminal information specifying the terminal IDs 
of these 15 invalidated terminals by using (i) one piece 
of generic information to express the terminal IDs of the 
eight terminals having common bit string values except 
for the low order 3 bits, (ii) another piece of generic in- 
formation to express the terminal IDs of the four termi- 
nals having common bit string values except for the low 
order 2 bits, (iii) another piece of generic information to 
express the terminal IDs of the two terminals having 
common bit string values except for the least significant 
bit, and (iv) a value of the terminal ID of the remaining 
terminal to express the terminal ID of that terminal. In 
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comparison, according to the present invention, it is pos- 
sible to construct invalidated-terminal information hav- 
ing the same significance, by using one piece of generic 
information to express the terminal IDs of 16 terminals 
having common bit strings except for the low order 4 s 
bits, and exception information to express the terminal 
ID of the one terminal out of the 16 terminal that is not 
invalidated, and thus suppress the data volume of the 
invalidated-terminal information. 
[0040] Furthermore, the management device may 
have an identifier acquisition unit operable to acquire 
the identifiers of all tenminals to be invalidated, and the 
invalidated-terminal information generation unit may (i) 
determine, as the exception information, an A/-bit bit 
string, obtained by inverting only a least significant bit 
of one of the identifiers acquired by the identifier acqui- 
sition unit, satisfying a first condition that the bit string 
not match any of the identifiers acquired by the identifier 
acquisition unit, (ii) provisionally designate the deter- 
mined bit string as an identifier, (ill) specify one or more 
X values satisfying a second condition that, out of the 
identifiers acquired by the identifier acquisition unit and 
the provisionally designated identifier, the number of 
identifiers which have matching X number of bits from 
a most significant bit is 2(^-^, and (iv) generate the in- 
validated-terminal information by determining, as the 
generic information for each specified X value, informa- 
tion specifying the X value and a value of a bit string of 
Xbits from the most significant bit in the 2^^-^ identifiers, 
where N is the predetermined number of bits and X is 
less than N. 

[0041] According to this structure, it is possible to con- 
struct invalidated-terminal information whose data vol- 
ume is suppressed under a constant condition, without 
placing an unnecessarily operational burden on the op- 
erator or the like of a management device. 
[0042] Furthermore, each terminal may hold a unique 
decryption key. the encryption communications device 
may have an encryption key storage unit operable to 
store encryption keys that correlate one-to-one with the 
decryption keys of all of the terminals, the communica- 
tion unit, when judged by the judging unit that the re- 
ceived identifier does not match any of the identifiers 
shown by the invalidated-terminal information, may en- 
crypt communication data using an encryption key that 
correlates with the decryption key unique to the terminal 
which transmitted the identifier, and transmit the en- 
crypted communication data to the terminal, and the ter- 
minal may decrypt the encrypted communication data 
transmitted from the encryption communications de- 
vice, using the decryption key unique to the terminal. 
[0043] According to this structure, in a system that in- 
cludes an encryption communications device for con- 
ducting a service in which communications data is only 
sent to legitimate terminals, it is possible to suppress 
the data volume of invalidated-terminal information re- 
quired in judging whether or not a terminal is legitimate, 
even when there are a large number of terminals to be 



invalidated. As a result. It is possible to plan for a speed- 
ing up of the judgment and the like. 
[0044] Furthemnore. the output unit may conduct the 
output by transmitting the invalidated-terminal informa- 
tion to the encryption communications device, and the 
invalidated-terminal information acquisition unit may 
conduct the acquisition by receiving the invalidated-ter- 
minal information transmitted by the output unit. 
[0045] According to this structure, a management de- 
vice constructs invalidated-terminal information re- 
quired by an encryption communications device while 
suppressing data volume, and thus it is possible to 
transmit the invalidated-terminal information quickly to 
the encryption communications device. 
[0046] Furthermore, the output unit may have a 
mounting subunit operable to mount a storage medium, 
and may conduct the output by storing the invalidated- 
terminal information on the mounted storage medium, 
and the invalidated-terminal information acquisition unit 
may be operable to mount the storage medium, and may 
conduct the acquisition by reading the invalidated-ter- 
minal information from the mounted storage medium. 
[0047] According to this structure, it is possible to use 
a conventional storage medium having a reasonably 
small acceptable storage capacity, when a management 
device stores invalidated-terminal information required 
by an encryption communications device on a storage 
medium and transfers the storage medium. 
[0048] A management device provided to achieve the 
object generates invalidated-terminal information show- 
ing, out of a plurality of identifiers identifying a plurality 
of terminals, the identifiers of one or more terminals to 
be invalidated, each identifier being a bit string having 
a predetermined number of bits for identifying a different 
one of the terminals, and includes an invalidated-termi- 
nal information generation unit operable to generate the 
invalidated-terminal information using a data format that 
generically expresses, by information specifying a value 
of a section in a bit string having the predetermined 
number of bits, all identifiers in which a value of the sec- 
tion matches the specified value; and an output unit op- 
erable to output the generated invalidated-terminal in- 
formation. 

[0049] As a result of this management device, the in- 
validated-terminal information to be outputted is able to 
specify a large number of invalidated terminals by a rel- 
atively small data volume, and as a result the invalidat- 
ed-terminal information to be outputted is readily usable 
in terms of transmission and storage onto a storage me- 
dium. 

[0050] Furthermore, the invalidated-terminal informa- 
tion (i) may include one or more sets of corresponded 
value and position information, each piece of value In- 
formation showing a value of a section of a bit string 
having the predetermined number of bits, and a corre- 
sponding piece of position information being for speci- 
fying a bit position of the section in the bit string, and (ii) 
may be information specifying, as a terminal to be inval- 
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idated, all terminals identified respectively by all identi- 
fiers in which a value of a partial bit string located in a 
bit position specified by a piece of position information 
matches a value shown by a piece of value information 
corresponding to the piece of position information. s 
[0051] According to this structure, all terminal IDs 
having a common value of an arbitrary bit string range 
can be expressed by information formed from value/po- 
sition sets, without having to fixedly determine a position 
of a section by operation rules or the like, since the in- 
validated-terminal information is in a format in which a 
value of a section of a terminal ID and a position of the 
section are corresponded, and as a result it is possible, 
if operated effectively, to express a large number of in- 
validated terminals by a low information volume. 
[0052] Furthermore, each terminal may be manufac- 
tured by one of a plurality of manufacturers, and an iden- 
tifier identifying the terminal may show the manufacturer 
of the terminal by a bit string having a predetermined 
range in the identifier. 

[0053] According to this structure, it is possible to ef- 
fectively suppress the data volume of Invalidated-termi- 
nal information, in cases such as when it is ascertained 
that a structural flaw exists in terminals manufactured 
by a specific manufacturer. 

[0054] An encryption communications device provid- 
ed to achieve the above object is for conducting com- 
munications with a plurality of terminals, each of which 
holds an identifier, which is a bit string having a prede- 
termined number of bits for identifying the terminal, and 
includes an invalidated-terminal information acquisition 
unit operable to acquire, from an external source, inval- 
idated-terminal information that shows the identifiers of 
one or more terminals as information for specifying one 
or more terminals to be invalidated, the invalidated-ter- 
minal information being structured using a data format 
that generically expresses, by information specifying a 
value of a section in a bit string having the predeter- 
mined number of bits, all identifiers in which a value of 
the section matches the specified value; an identifier re- 
ceiving unit operable, when an identifier held by a ter- 
minal is transmitted from the terminal, to receive the 
identifier; a judging unit operable to judge whether the 
received identifier matches any of the one or more iden- 
tifiers shown by the invalidated-temninal information as 
information specifying one or more terminals to be in- 
validated; and a communication unit operable (i) when 
judged to not be any matches, to conduct a predeter- 
mined communication with the terminal that transmitted 
the identifier, by performing an encryption unique to the 
terminal, and (11) when judged to be a match, to not con- 
duct the predetermined communication with the termi- 
nal. 

[0055] According to this structure, it is possible to 
quickly judge whether a terminal ID received firom a ter- 
minal is the terminal ID of an invalidated terminal, by 
obtaining and referring to invalidated-terminal informa- 
tion specifying a large number of invalidated terminals 



using a relatively low data volume. 
[0056] Furthermore, the invalidated-terminal informa- 
tion (i) may include one or more sets of corresponded 
value and position information, each piece of value in- 
formation showing a value of a section of a bit string 
having the predetermined number of bits, and a corre- 
sponding piece of position information being for speci- 
fying a bit position of the section in the bit string, and (ii) 
may be information specifying, as a terminal to be inval- 
idated, all terminals identified respectively by all identi- 
fiers in which a value of a partial bit string located in a 
bit position specified by a piece of position information 
matches a value shown by a piece of value information 
corresponding to the piece of position information, and 
the judging unit may (i) verify, for each piece of position 
information, whether a value, in the received identifier, 
of a partial bit string located in a bit position specified by 
the piece of position information matches a value shown 
by a piece of value information corresponding to the 
piece of position information, and (ii) judge, when veri- 
fied that there is at least one match, that the received 
identifier matches an identifier shown by the invalidated- 
terminal information. 

[0057] According to this structure, all terminal IDs 
having a common value of an arbitrary bit string range 
can be expressed by information formed from value/po- 
sition sets, without having to fixedly determine a position 
of a section by operation rules or the like, since the in- 
validated-terminal information is in a format in which a 
value of a section of a terminal ID and a position of the 
section are corresponded, and as a result it is possible, 
if operated effectively, to express a large number of in- 
validated terminals by a low information volume. 
[0058] An information generation method provided to 
achieve the above object generates invalidated-termi- 
nal information for specifying one or more terminals to 
be invalidated out of a plurality of terminals, and includes 
an identifier acquisition step of acquiring identifiers of 
terminals to be invalidated, each identifier being a bit 
string having a predetermined number of bits for identi- 
fying a different one of the terminals; and an invalidated- 
terminal information generation step of generating the 
invalidated-terminal information to show all of the iden- 
tifiers acquired in the identifier acquisition step, using a 
data format that generically expresses, by information 
specifying a value of a section in a bit string having the 
predetermined number of bits, all identifiers in which a 
value of the section matches the specified value. 
[0059] According to this structure, it is possible to con- 
struct information for specifying a large number of inval- 
idated terminals while suppressing data volume. 
[0060] A computer-readable storage medium provid- 
ed to achieve the above object stores invalidated-termi- 
nal data, and in order to specify, out of a plurality of iden- 
tifiers that are bit strings having a predetermined 
number of bits for identifying a different one of a plurality 
of terminals, the identifiers of one or more terminals to 
be invalidated, the invalidated-terminal data (i) has an 
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identifier-specifying field that stores section information 
for specifying a value of a section of a bit string having 
the predetermined number of bits, and (ii) generically 
expresses, by the section information, all identifiers in 
which a value of the section matches the specified val- 
ue. 

[0061] In order to specify, out of a plurality of Identifi- 
ers that are bit strings having a predetermined number 
of bits for identifying a different one of a plurality of ter- 
minals, the identifiers of one or more terminals to be in- 
validated, invalidated-terminal data provided to achieve 
the above object (i) has an identifier-specifying field that 
stores section information for specifying a value of a 
section of a bit string having the predetermined number 
of bits, and (ii) generically expresses, by the section in- 
formation, all identifiers in which a value of the section 
matches the specified value. 

[0062] According to these structures, all terminal IDs 
that include a certain bit string are expressed generically 
by information specifying a value and a position of a 
common bit string included therein, and thus it is possi- 
ble to comparatively suppress the data volume of inval- 
idated-terminal data. 

[0063] An encryption communications system provid- 
ed to achieve the above object includes an encryption 
communications device, a plurality of terminals that 
each transmit to the encryption communications device 
a key identifier having a predetermined number of bits, 
and a management device that generates invalidated- 
identifier information specifying one or more key identi- 
fiers to be invalidated. The management device has an 
invalidated-identifier information generation unit opera- 
ble to generate the invalidated-identifier information us- 
ing a data format that generically expresses, by infor- 
mation specifying a value of a section in a bit string hav- 
ing the predetermined number of bits, all identifiers in 
which a value of the section matches the specified val- 
ue; and an output unit operable to output the generated 
invalidated-identifier information. The encryption com- 
munications device has an acquisition unit operable to 
acquire the invalidated-identifier information outputted 
by the management device; an identifier receiving unit 
operable to receive a key identifier transmitted from one 
of the plurality of terminals; a judging unit operable to 
judge whether the received key identifier matches any 
of the one or more key* identifiers specified by the inval- 
idated-identifier information; and a communication unit 
operable, only when judged to not be any matches, to 
conduct a predetermined communication with the termi- 
nal that transmitted the key identifier, by performing an 
encryption relating uniquely to the key identifier. 
[0064] According to this structure, the volume of data 
required in authenticating the legitimacy of a key iden- 
tifier can be suppressed, and thus it is possible to en- 
hance the practicability of a system that conducts a serv- 
ice such as performing a predetermined communication 
involving, for example, the transmission of specific val- 
uable data only to terminals that send a legitimate key 



identifier. 

BRIEF DESCRIPTION OF THE DRAWINGS 
5 [0065] 

Fig.1 is a structural diagram of a content key distri- 
bution system according to an embodiment 1 
of the present invention; 
10 Fig.2 shows terminal IDs and decryption keys 
stored by terminals; 

Fig.3 is a conceptual diagram showing a method 
for determining a value of terminal IDs held 
by terminals; 

15 Fig.4 shows exemplary content of data stored in an 
encryption key storage unit 124 of a content 
key distribution device 120; 
Fig. 5 is a flowchart showing TRL generation/trans- 
mission processing conducted by a manage- 
20 ment device 110; 

Fig.6 is a flowchart showing content playback 
processing conducted by a content playback 
device 130; 

Fig. 7 is a flowchart showing content key distribu- 
25 tion processing conducted by content key 

distribution device 120; 

Fig.8 shows a data structure of a TRL in embodi- 
ment 1; 

Fig.9 shows exemplary content of a TRL; 
30 Fig. 10 is a flowchart showing TRL data generation 
processing, which is a part of the TRL gener- 
ation/transmission processing conducted by 
management device 110 In embodiment 1; 

Fig. 1 1 is a flowchart showing TRL collation process- 
35 ing, which is a part of the content key trans- 

mission processing conducted by content 
key distribution device 120 in embodiment 1; 

Fig. 12 shows a data structure of a terminal ID in an 
embodiment 2; 

40 Fig.1 3 shows a data structure of a TRL in embodi- 
ment 2; 

Fig. 14 is a flowchart showing TRL data generation 
processing, which is a part of TRL genera- 
tion/transmission processing conducted by 
45 management device 1 1 0 in embodiment 2; 

Fig. 1 5 shows exemplary content of a TRL; 

Fig. 16 is a flowchart showing TRL collation process- 
ing, which is a part of content key transmis- 
sion processing conducted by content key 
50 distribution device 120 in embodiment 2; 

Fig. 1 7 shows a data structure of a TRL in an embod- 
iment 3; 

Fig. 18 is a flowchart showing TRL data generation 
processing, which is a part of TRL genera- 
55 tion/transmisslon processing conducted by 

management device 110 in embodiment 3; 

Fig. 19 is a flowchart showing TRL collation process- 
ing, which is a part of content key transmis- 
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sion processing conducted by content key 
distribution device 120 in embodiment 3; and 
Fig.20 is a structural diagram of a content key distri- 
bution system according to an embodiment 4 
of the present invention. 5 

BEST MODE FOR CARRYING OUT THE INVENTION 

[0066] The following describes, with reference to the 
drawings, a content key distribution system, which is an 
embodiment of the present invention applied as a sys- 
tem that takes into consideration copyright protection 
and the like of content. 

Embodiment 1 

System Structure 

[0067] Fig.1 is a structural diagram of a content key 
distribution system according to an embodiment 1 of the 
present invention. 

[0068] Content key distribution system 100 is struc- 
tured to include a plurality of content playback devices 
130 for playing back content, a content key distribution 
device 120 for distributing encrypted content keys in re- 
sponse to requests from the content playback devices, 
and a management device 110 for sending, to content 
key distribution device 120, a terminal revocation list 
(TRL), which is information used forjudging whether dis- 
tribution of an encrypted content key is permissible. 
Here, either one or a plurality of content key distribution 
devices 120 is provided in the content key distribution 
system. 

[0069] Here, content playback devices 130a, 130b 
and the like are, for example, each disposed in a differ- 
ent household, and function to acquire encrypted con- 
tent via a communication channel, storage media or the 
like, and to decode and playback the acquired content 
using a content key. 

[0070] In a system in which consideration is given to 
copyright protection, it is assumed that content will be 
encrypted and then targeted for circulation. For this rea- 
son, if a content playback device does not obtain a con- 
tent key by decrypting an encrypted content key receiv- 
ing from content key distribution device 120, an encrypt- 
ed content cannot be decrypted and played back. Con- 
tent playback devices 130 (hereafter "terminals") each 
includes a CPU, a hard disk, a mechanism for commu- 
nicating with an external unit, and the like, and conduct 
content playback processing for playing back movies 
and other content for viewing, listening to or the like by 
a user, via a display device, a speaker or the like. Func- 
tionally, each terminal has a terminal ID storage unit 
131. a decryption key storage unit 132, a encrypted con- 
tent storage unit 133, a request transmitting unit 134, an 
encrypted content key receiving unit 135. a decryption 
unit 136, and a playback unit 137. 
[0071] Tenninal ID storage unit 131 is a storage area 
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in a ROM (read only memory) or the like, and stores ter- 
minal IDs that are for identifying the various terminals. 
If, for example, 16 terminals are used in content key dis- 
tribution system 100, the tenninal IDs will be structured 
by bit strings of four or more bits that allow identification 
of the 16 terminals, and if, for example, there are 50 ter- 
minals, the terminal IDs will be bit strings in excess of 
32 bits. For ease of understanding, embodiment 1 will 
be described mainly in relation to there been 16 termi* 
nats and 4-bit terminal IDs. 

[0072] Decryption key storage unit 132 is a storage 
area in' a ROM or the like that stores a decryption key 
used for decrypting an encrypted content key. The de- 
cryption key is a secret key having a value that is unique 
for each terminal, and is structured, for example, by 128 
bits. 

[0073] Encrypted content storage unit 133 is a stor- 
age area on a storage medium such as a hard disk, and 
stores encrypted content. The terminals each function 
to acquire (by receiving transmission, etc.) encrypted 
content from an external source, and to store the en- 
crypted content in unit 133. 

[0074] Request transmitting unit 134 functions to 
send transmission request information that includes a 
terminal ID stored in terminal ID storage unit 1 31 to con- 
tent key distribution device 120, via a communication 
channel 101 (i.e. public network, etc.). 
[0075] Encrypted content key receiving unit 1 35 func- 
tions, when an encrypted content key is sent from con- 
tent key distribution device 120, to receive the encrypted 
content key. 

[0076] Decryption unit 136 functions, when an en- 
crypted content key is received by encrypted content 
key receiving unit 135, to decrypt the encrypted content 
key using a decryption key stored in decryption key stor- 
age unit 132, and to send a content key obtained as a 
result of the decryption to playback unit 137. 
[0077] Playback unit 1 37 functions to decrypt encrypt- 
ed content stored in encrypted content storage unit 133 
using a content key sent from decryption unit 136, and 
to playback the decrypted content. A user is able to view, 
listen to or the like content played back by playback unit 
137. 

[0078] Some of the functions conducted by request 
transmitting unit 134. decryption unit 136 and playback 
unit 137 are realized by a control program stored in a 
memory being executed by a CPU. 
[0079] Management device 110 is, for example, a 
computer or the like installed in an organization that con- 
ducts operations relating to the protection of the copy- 
right and the like of content. Management device 110 
conducts TRL generation/transmission processing for 
generating a TRL that has as main content, information 
for specifying all terminals with respect to which protec- 
tion of copyright and the like can no longer be guaran- 
teed due to a decryption key stored therein having been 
disclosed (i.e. all terminals to which an encrypted con- 
tent key should not be distributed) , and for transmitting 
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the generated TRL to content key distribution device 
120. Hereafter, terminals to which an encrypted content 
key should not be distributed are referred to as "invali- 
dated terminals". 

[0080] Management device 110, as shown in Fig.1, 5 
includes an invalidated-terminal ID acquisition unit 111, 
a TRL generation unit 112, and a TRL transmitting unit 
113. 

[0081] Here, invalidated-terminal ID acquisition unit 
111 functions to acquire information specifying terminal 
IDs related to all invalidated terminals, and to provide 
the acquired terminal IDs to TRL generation unit 112. 
[0082] TRL generation unit 112 functions to generate 
a TRL whose main content is information specifying in- 
validated terminals, based on the terminal IDs provided 
by invalidated-terminal ID acquisition unit 111, and to 
send the generated TRL to TRL transmitting unit 113. 
The generation of a TRL is described in detail in a later 
section. 

[0083] TRL transmitting unit 113 functions to transmit 
a TRL sent from TRL generation unit 1 1 2 to content key 
distribution device 120 via a communication channel. 
[0084] The procedures involved in the TRL genera- 
tion/transmission processing conducted by manage- 
ment device 110 are described in a later section. 
[0085] It is assumed that, for example, periodically or 
when there is a change in invalidated terminal informa- 
tion to be included in a TRL, management device 110 
operates to transmit a TRL to content key distribution 
device 120. 

[0086] Content key distribution device 120 is a com- 
puter that conducts content key distribution processing, 
which involves transmitting, when a terminal from which 
a content key transmission request is received is not an 
invalidated terminal, an encrypted content key to the ter- 
minal. Functionally, device 120 includes a TRL storage 
unit 121 , a TRL receiving unit 122, a content key storage 
unit 123, an encryption key storage unit 124, a transmis- 
sion request reception unit 125. a collation unit 126, an 
encryption unit 1 27, and an encrypted content key trans- 
mitting unit 128. 

[0087] Here, TRL storage unit 121 is an area on a stor- 
age medium such as a hard disk, and stores a TRL. 
[0088] TRL receiving unit 122 functions to receive a 
TRL transmitted from management device 110. and to 
store the received TRL in TRL storage unit 121. 
[0089] Content key storage unit 1 23 is a storage area 
in a memory or the like, and stores a content key. 
[0090] Encryption key storage unit 124 is an area on 
a hard disk or the like, and stores in advance for each 
terminal, a terminal ID of the terminal and an encryption 
key that correlates with a decryption key of the terminal, 
so that the tenminat ID and the encryption key corre- 
spond. 

[0091] Transmission request reception unit 125 func- 
tions to receive a transmission request sent from a ter- 
minal via a public network, and convey the terminal ID 
included in the transmission request to collation unit 



126. 

[0092] Collation unit 126 functions to judge whether 
the terminal from which a transmission request originat- 
ed is an invalidated terminal, by collating whether there 
is a match with any of the invalidated terminals specified 
by a TRL, to convey an instruction to encrypted content 
key transmitting unit 128 showing that an error message 
should be returned to the transmission source when 
judged to be an invalidated terminal, and to convey to 
encryption unit 127 a terminal ID conveyed from trans- 
mission request reception unit 125 when Judged not to 
be an invalidated terminal. 

[0093] Encryption unit 1 27 functions, when a terminal 
ID is conveyed from collation unit 126, to generate an 
encrypted content key, by using an encryption key cor- 
responded to the terminal ID in encryption key storage 
unit 124 to encrypt a content key stored in content key 
storage unit 123, and to send the encrypted content key 
to encrypted content key transmitting unit 128. 
[0094] Encrypted content key transmitting unit 128 
functions to transmit an error message to a terminal that 
issued a transmission request when an instruction 
showing to return an error message is conveyed from 
collation unit 126, and to transmit an encrypted content 
key to a terminal that issued a transmission request 
when an encrypted content key is conveyed from en- 
cryption unit 127. 

Terminal ZDs, Decryption Keys and Encryption Keys 

[0095] Fig. 2 shows terminal IDs and decryption keys 
stored by the terminals. 

[0096] Content key distribution system 100 includes 
16 terminals, and when the terminal IDs are each 4 bits, 
as shown in Fig .2, a terminal 0, for example, holds a 
terminal ID "0000" and a decryption key "DK^", a termi- 
nal 1 holds a terminal ID "0001" and a decryption key 
"DK/, and a terminal 15 holds a terminal ID "1111" and 
a decryption key "DK^g". Decryption keys DKq, DKp 
OKf5 are all bit strings whose individual values do not 
match. The terminals protect the decryption keys in a 
secret state using tamper-resistant technology and the 
like. 

[0097] Fig. 3 is a conceptual diagram showing a meth- 
od for determining a value of terminal IDs held by termi- 
nals. 

[0098] The allotment of terminal IDs to terminals man- 
ufactured by various manufacturers is determined, for 
example, by an organization for conducting operations 
relating to the protection of copyright and the like, and 
when the terminals are manufactured, the manufactur- 
ers, in accordance with the allotment, configure, in each 
terminal, a ROM or the like storing the terminal ID allot- 
ted to the terminal. 

[0099] Given that the circles in Fig.3 are "nodes", and 
the lines connecting the nodes are "paths", a binary tree 
structure is determined in Fig.3 such that the 16 termi- 
nals are corresponded one-to-one with nodes 12 on the 
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lower-most layer, and either a 0-value or a 1 -value is 
consigned to each of the two paths from one node to 
nodes on a lower layer. 

[0100] The terminal ID of each terminal Is expressed 
by a bit string obtained by joining together, from higher 
to lower layers, the 0 or 1 values consigned to all of the 
paths connecting a node 11 on the upper-most layer to 
a node 12 on the lower-most layer corresponding to the 
terminal. Consequently, the terminal IDs relating to the 
terminals are determined as shown in Fig.2. 
[0101] Fig.4 shows exemplary content of data stored 
in encryption key storage unit 124 of content key distri- 
bution device 120. 

[0102] In encryption key storage unit 124 are stored, 
as shown in Fig.4, corresponded terminal IDs and en- 
cryption keys for all of the terminals. 
[0103] For example, encryption key EKq is corre- 
sponded to terminal ID 0000, encryption key EKq being 
a key that correlates with decryption key DKq held in ter- 
minal 0. Consequently, data encrypted using encryption 
key EKq can be decrypted using decryption key DKq. 
[0104] Encryption key EK^ and correlated decryption 
key DK/ form a pair, and are matched when using a se- 
cret key encryption system in an encryption algorithm 
for encrypting a content key, and are not matched when 
using a public key encryption system. 

System Operations 

[0105] The following is a summary of the system op- 
erations of content key distribution system 100. 

Operations of Management Device 

[0106] Fig.5 is a flowchart showing TRL generation/ 
transmission processing conducted by management 
device 110. 

[0107] TRL generation unit 112 in management de- 
vice 110 acquires terminal IDs relating to invalidated ter- 
minals from invalidated-terminal ID acquisition unit 111 
(step S21), and conducts TRL data generation process- 
ing that involves calculating a content of an information 
part (hereafter "ID-related information") of a TRL for 
specifying invalidated terminals (step S22). The TRL da- 
ta generation processing is described in detail in a later 
section. 

[01 08] After the TRL data generation processing, TRL 
generation unit 112 constructs a TRL that includes the 
generated ID-related information (step S23), conveys 
the generated TRL to TRL transmitting unit 113, and 
TRL transmitting unit 113, having received the TRL, 
transmits the received TRL to content key distribution 
device 120 via a communication channel (step S24). 

Operations of Content Playbact< Device 

[0109] Fig.6 is a flowchart showing content playback 
processing conducted by content playback device 130. 



[0110] Content playback device 130 (terminal) con- 
ducts content playback processing on receipt, for exam- 
ple, of a user operation instructing content playback. 
[0111] First, request transmitting unit 134 in a terminal 

s requests the transmission of an encrypted content key, 
by transmitting, via a communication channel, a trans- 
mission request constituted by data that includes a ter- 
minal ID unique to the terminal and stored in terminal ID 
storage unit 131 (step S31). In response to the request, 

10 either an encrypted content key or an error message is 
sent from content key distribution device 120. 
[0112] After the transmission request, encrypted con- 
tent key receiving unit 135 judges whether reception of 
the encrypted content key was successful (step S32), 

15 and conveys the encrypted content key to decryption 
unit 1 36 only when the encrypted content key is received 
normally. On receipt of the encrypted content key, de- 
cryption unit 136 decrypts the encrypted content key us- 
ing a decryption key held in decryption key storage unit 

20 132, and conveys a content key obtained as a result of 
the decryption to playback unit 137 (step S33). 
[01 1 3] When a content key is conveyed, playback unit 
137 decrypts encrypted content stored in encrypted 
content storage unit 133 using the content key, and 

25 plays back the content as it is being decrypted (step 
S34) . As a result of this playback, video, audio and the 
like is, for example, outputted via a display device, a 
speaker and the like, thus allowing a user to view/listen 
to the content. 

30 

Operations of Content Key Distribution Device 

[01 14] Fig. 7 is a flowchart showing content key distri- 
bution processing conducted by content key distribution 

35 device 120. 

[0115] Content key distribution device 120 receives, 
via receiving unit 122, and stores a TRL in storage unit 
121 at least once before conducting the content key dis- 
tribution processing, and conducts the content key dis- 

40 tribution processing whenever a transmission request is 
sent from one of content playback devices 130. 
[01 1 6] When a transmission request is sent from one 
of content playback devices 130 (terminal), transmis- 
sion request reception unit 125 receives the transmis- 

45 sion request and conveys a terminal ID included in the 
received transmission request to collation unit 126 (step 
S41). 

[0117] When a terminal ID is conveyed, collation unit 
126 conducts TRL collation processing that involves re- 
50 ferring to a TRL and judging whether the terminal ID is 
the terminal ID of an invalidated terminal (step S42). The 
TRL collation processing is described in detail in a later 
section. 

[01 18] When, as a result of the TRL collation process- 
55 ing, a terminal ID relating to the transmission request is 
judged to be the terminal ID of an invalidated terminal 
(step S43 = YES), collation unit 126 conveys to encrypt- 
ed content key transmitting unit 128 an instruction show- 
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ing that an error message should be returned to the 
transmission source of the transmission request, and in 
response, unit 128 conducts error processing that in- 
volves an error message being transmitted to the termi- 
nal (step S47), and ends the content key distribution 
processing. 

[0119] If in step S43, it is judged, as a result of the 
TRL collation processing, that a terminal ID relating to 
the transmission request is not the terminal ID of an in- 
validated terminal (step S43 = NO), collation unit 126 
conveys the terminal ID relating to the transmission re- 
quest to encryption unit 127, and on receipt of the ter- 
minal ID, encryption unit 127 extracts an encryption key 
corresponding to the terminal ID from encryption key 
storage unit 124, uses the extracted encryption key to 
encrypt a content key stored in content key storage unit 
123, thus generating an encrypted content key, and con- 
veys the encrypted content key to encrypted content key 
transmitting unit 128 (step S45). 
[0120] When an encrypted content key is conveyed, 
encrypted content key transmitting unit 128 transmits 
the encrypted content key to the terminal that issued the 
transmission request (step S46), and ends the content 
key distribution processing. 

TRL Structure 

[0121] Fig.8 shows a data structure of a TRL in em- 
bodiment 1 . 

[0122] Although the bit size example given in Fig.8 as- 
sumes that there are 16 terminals, exemplary bit sizes 
corresponding to when there are several times as many 
terminals are show in parenthesis for reference purpos- 
es as a further practical example. The following descrip- 
tion refers to the bit size example for 16 terminals. 
[0123] As shown in Fig.8. a TRL is structured from 
8-bit version information 210, ID-related information 
220, and 64-bit signature information 230. 
[0124] Version information 210 is information showing 
a version number of a TRL, and the version number 
changes, for example, every time a TRL with different 
content is newly generated. 

[0125] ID-related infomiation 220 is structured from 
group information 221 and discrete information 225. 
[0126] Group information 221 includes one or a plu- 
rality of ID 223/mask data 224 sets, and an entry number 
222 showing the number of sets. If the number of sets 
is given as M, a value shown by entry number 222 will 
be M. 

[01 27] Here, mask data 224 is data in which Xnumber 
of high order bits in the 4-bit bit string structuring mask 
data 224 have a value of "1 and any remaining low 
order bits have a value of "0", X thus being expressed 
by this mask data. 

[0128] ID 223 forming a set with mask data 224 that 
expresses X, is data in which only a content of Xnumber 
of bits from the most significant bit ("MSB") in the 4-bit 
bit string structuring ID 223 is useful, the remaining bits 



having a value of "0", for example. 
[0129] All terminal IDs in which the high order X bits 
expressed by mask data 224 match a value of ID 223 
(i.e. the terminal IDs of 2^^-^) number of invalidated ter- 
5 minals) are shown by the sets of ID 223/mask data 224. 
[0130] Consequently, group information 221 is 
formed from one or a plurality of sets that expresses the 
terminal IDs of a plurality of invalidated terminals gener- 
ically. 

10 [0131] Discrete information 225 includes one or a plu- 
rality of IDs 227, and includes an entry number 226 that 
shows the number of IDs 227. If the number of IDs is 

given as A/, a value shown by entry number 226 will be N. 
[0132] IDs 227 each show a terminal ID of an invali- 
ds dated terminal. Consequently, discrete information 225 
is formed from one or a plurality of pieces of information 
that expresses the terminal IDs of invalidated terminals 
discretely. 

[0133] Signature information 230 is a so-called digital 

20 signature generated to reflect the entirety of version in- 
formation 210 and ID-related information 220. 
[0134] Fig. 9 shows exemplary content of a TRL. 
[0135] In Fig. 9 is illustrated a TRL that includes (i) as 
group information, a set consisting of an ID 223 having 

25 a bit string "1100" and mask data 224 having a bit string 
"1100", and a further set consisting of an ID 223 having 
a bit string "01 1 0" and mask data 224 having a bit string 
"1110", and (ii) as discrete information, an ID 227 having 
a bit string "0001". 

30 [0136] The terminal IDs of four invalidated terminals 
(i.e. 1100, 1101, 1110, 1111) are expressed by the set 
formed by the "1100" mask data and the "1100" ID, and 
the terminal IDs of two invalidated terminals (i.e. 0110, 
0111) is expressed by the set formed by the "1110" mask 

35 data and the "0110" ID. 

[01 37] Consequently, the TRL in Fig.9 shows the ter- 
minal IDs of a total of seven invalidated terminal; six ter- 
minals by group information, and one terminal by dis- 
crete information. 

40 

TRL Data Generation Processing 

[01 38] Fig. 1 0 is a flowchart showing TRL data gener- 
ation processing, which is a part of the TRL generation/ 
45 transmission processing conducted by management 
device 110 in embodiment 1. 

[0139] TRL generation unit 112 in management de- 
vice 110 conducts TRL data generation processing after 
acquiring terminal IDs related to invalidated terminals 
50 from invalidated-terminal ID acquisition unit 111 (see 
Fig.5). 

[0140] First, TRL generation unit 112 stores the ac- 
quired terminal IDs in a ID working area which is an area 
on a storage medium such as a memory or the like (step 
55 S201), stores two pieces of 1-bit bit data "0" and "1" in 
a bit working area which is an area on a storage medium 
such as a memory or the like (step S202), and sets "1" 
in variable X (step S203). 
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[0141] Next, TRL generation unit 112 focuses on a 
piece of X-bit bit data in the bit working area that has 
not been focused on (step S204), and counts the 
number of terminai IDs stored in the ID working area 
that satisfy a condition that the high order X bits match 5 
the bit data currently being focused on (step S205). 
[0142] When the counted number in step S205 is 
2(4-^) (step S206), TRL generation unit 112 deletes the 
terminal IDs satisfying the condition in step S205 (step 
S207), and with respect to the terminal IDs satisfying 
the condition, determines a 4-bit bit string having the 
high order X bits set to "1 " and the remaining bits set to 
"0" as mask data, and determines a 4-bit bit string hav- 
ing the high order X bits set to be the same as the bit 
data currently being focused on and the remaining bits 
set to "0" as an ID, corresponds and retains the deter- 
mined mask data and ID in an area of a storage medium 
(e.g. memory, etc) as group information (step S208). 
and conducts the step S209 judgment. 
[0143] When the counted number in step S205 is 0 or 
1 (step S206), TRL generation unit 112 skips steps S207 
and S208, and conducts the step S209 judgment 
[0144] In the case that the counted number in step 
S205 is not any of 2(4-x), 0 or 1 (step S206), if two or 
more of the terminal IDs satisfying the condition in step 
S205 have an X+l^^ bit from the MSB that Is "0", TRL 
generation unit 112 stores, in the bit working area, bit 
data formed by adding a 1-bit "0" to the least significant 
bit ("LSB") of the bit data being focused on (step S210). 
and if two or more of the terminal ID satisfying the con- 
dition have an X+1*f^ bit from the MSB that is "1", TRL 
generation unit 112 stores, in the bit working area, bit 
data formed by adding a 1-bit"1"to the low order of the 
bit data being focused on (step S211), and conducts the 
step S209 judgment. 

[0145] In step S209. TRL generation unit 112 judges 
whether there exists a piece of X-bit bit data that has yet 
to be focused on, and when there exists a piece of X-bit 
bit data yet to be focused on (3209 = YES), TRL gen- 
eration unit 112 returns to step S204, and conducts 
processing to focus on the next piece of bit data, and 
when there does not exist a piece of X-bit bit data yet to 
be focused on (S209 = NO), TRL generation unit 112 
increases variable X by "1" (step S212), and judges 
whether variable X equals "4" (step 8213). 
[0146] When variable X does not equal "4" (821 3 = 
NO). TRL generation unit 112 returns to step S204, and 
conducts processing to focus on the next piece of bit 
data, and when variable Xequals "4" (S213 = YES), and 
if there remain terminal IDs in the ID working area, TRL 
generation unit 112 stores the remaining terminal IDs in 
an area of a storage medium (e.g. memory, etc.) as IDs 
in discrete information (step 8214), thus ending the TRL 
data generation processing. 

[0147] Here, the TRL construction shown in step 823 
of Fig.5 is executed by adding, in addition to version in- 
formation and signature information, respective entry 
numbers to the group information and discrete informa- 



tion retained in an area of a storage medium as a result 
of the above TRL data generation processing. 
[0148] Consequently, when the seven terminal IDs 
"OOOr. "0110", "0111", "1100", "1101", "IHO", and 
"1111" are acquired from invalidated-terminal ID acqui- 
sition unit 111, a TRL having the content shown in Fig. 
9 is generated as a result of the above procedures. This 
TRL shows, in Fig. 3, a group consisting of adjacent ter- 
minals 6 and 7, a group consisting of terminals 12 to 15, 
and terminal 1 to be invalidated terminals. 
[0149] Furthermore, when there is not even one inval- 
idated terminal, the entry number in both the group in- 
formation and the discrete information will be "0". 



[0150] Fig. 11 is* a flowchart showing TRL collation 
processing, which is a part of the content key transmis- 
sion processing conducted by content key distribution 
device 120 in embodiment 1. 

[0151] Collation unit 126 in content key distribution 
device 120 conducts TRL collation processing every 
time a terminal ID sent from a terminal is obtained by 
transmission request reception unit 125. 
[0152] Collation unit 126 judges whether an ID 227 
that matches a terminal ID sent from a terminal exists 
in discrete information 225 stored in TRL storage unit 
121 (step 8221), and if there is a matching ID 227. col- 
lation unit 126 judges the terminal ID acquired from the 
terminal to be the terminal ID of an invalidated terminal 
(step S222), and ends the TRL collation processing. 
[0153] In step S221, when judged that an ID 227 
matching the terminal ID sent from the terminal is not 
included in discrete information 225 of the TRL. collation 
unit 126 checks whether any of the terminal IDs shown 
by each set of ID 223 and mask data 224 in the group 
information of the TRL matches the terminal ID sent 
from the terminal (step 8223, 8224). 
[0154] More specifically, collation unit 126 computes 
a bitwise AND (i.e. a logical product operation carried 
out In a bitwise fashion) of the terminal ID sent from the 
terminal and mask data 224 (step S223), judges wheth- 
er the computed AND matches an ID 223 forming a set 
with the mask data (step 8224). and if matched (8224 
= YES), judges the terminal ID acquired from the termi- 
nal to be the terminal ID of an invalidated terminal (step 
8222), and ends the TRL collation processing. 
[0155] If not matched In step S224 (8224 = NO), col- 
lation unit 126 judges whether the step 8223 and S224 
processing has been conducted for all the sets of ID 223 
and mask data 224 in the group information in the TRL 
(step 8225), and if the processing has not been com- 
pleted (8225 = NO), collation unit 126 again conducts 
the step 8223 and 8224 processing. 
[01 56] If judged in step 8225 that the processing has 
been completed for all the sets (8225 = YES), collation 
unit 126 judges the terminal ID acquired from the termi- 
nal to not be the terminal ID of an invalidated terminal 
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(step S226), and ends the TRL collation processing. 
[0157] The following describes the concrete opera- 
tions of content key distribution device 120 with refer- 
ence to Figs. 7 and 1 1 . given that the content of the TRL 
stored in TRL storage unit 1 21 is as shown in Fig. 9. and 
assuming that a transmission signal which includes a 
terminal ID "1101" has been sent to content key distri- 
bution device 120 from terminal 13. 
[0158] Transmission request reception unit 125 in 
content key distribution device 120 acquires and con- 
veys to collation unit 126 a terminal ID "1101" sent from 
terminal 13 (step S41), collation unit 126 judges whether 
terminal ID "1101" sent from terminal 13 is included in 
discrete information in the TRL (step S221), and since 
the only ID in the discrete information is "0001", collation 
unit 126ANDS terminal ID "1101" and mask data "1100" 
in the group information (step S223). 
[0159] The AND computed in step S223 is "1 100". and 
collation unit 126 judges whether the derived bit string 
"1 100" and ID "1 100" match (step S224), and since there 
is a match, collation unit 126 judges the terminal ID ac- 
quired from the terminal to be the terminal ID of an in- 
validated terminal (step S222), and as a result (step 
S43), conveys to encrypted content key transmitting unit 
128 that an error message should be transmitted, and 
having received this instruction, encrypted content key 
transmitting unit 128 transmits an error message to ter- 
minal 13 (step S47). 

[0160] Next, a description will be given of the concrete 
operations of content key distribution device 120, based 
on the same premise as above, and assuming that a 
transmission signal which includes a terminal ID "0010" 
has been sent to content key distribution device 120 
from terminal 2. 

[0161] Transmission request reception unit 125 in 
content key distribution device 120 acquires and con- 
veys to collation unit 126 a terminal ID "0010" sent from 
terminal 2 (step S41), collation unit 126 judges whether 
terminal ID "0010" sent from terminal 2 is included in 
discrete information in the TRL (step S221), and since 
the only ID in the discrete information is "0001 ", collation 
unit 126 AMDs terminal ID "0010" and mask data "1100" 
in the group information (step S223). 
[0162] The AND computed in step S223 Is "0000", 
and collation unit 126 judges whether the derived bit 
string "0000" and ID "1100" match (step S224). and 
since there is not a match, collation unit 126 ANDs ter- 
minal ID "0010" and mask data "1110" in the group in- 
fonnation (steps S225, S223). 

[0163] The AND thus computed is "0010", and colla- 
tion unit 1 26 judges whether the derived bit string "001 0" 
and ID "0110" match (step S224). and since there is not 
a match and there are no more pieces of unprocessed 
mask data in the group information (step S225), colla- 
tion unit 126 judges terminal ID "0010" acquired from 
the terminal to not be the terminal ID of an invalidated 
terminal (steps S226. S43), and conveys terminal ID 
"0010" to encryption unit 127. 



[0164] On receipt of terminal ID "0010", encryption 
unit 127 encrypts a content key stored in content key 
storage unit 123, by extracting and using an encryption 
key EK2 corresponding to "0010" from encryption key 
5 storage unit 1 24 (step S45), and conveys the encrypted 
content key obtained as a result to encrypted content 
key transmitting unit 128. 

[0165] When the encrypted content key is conveyed, 
encrypted content key transmitting unit 128 transmits 
10 the encrypted content key to terminal 2 (step S46) . Con- 
sequently, terminal 2, having acquired the encrypted 
content key, decrypts the encrypted content key using 
a decryption key OK2 stored internally, and thus obtains 
a content key. 

15 

Embodiment 2 

[0166] The following description relates to a content 
key distribution system according to an embodiment 2. 

20 [01 67] The content key distribution system according 
to embodiment 2 includes basically the same system 
structure as content key distribution system 100 shown 
in embodiment 1, and conducts basically the same sys- 
tem operations. Consequently, the various devices are 

25 shown using the same reference numbering as in Fig.1 
and the like, and a description of parts that are the same 
as embodiment 1 have been omitted. 
[0168] In embodiment 2, however, a data structure of 
terminal IDs is special, and a data structure of a TRL 

30 differs from that of embodiment 1 . For this reason, mafv 
agement device 110 conducts TRL data generation 
processing that differs from the TRL data generation 
processing shown in embodiment 1, and content key 
distribution device 120 conducts TRL collation process- 

35 ing that differs from the TRL collation processing shown 
in embodiment 1 . 

Terminal IDs 

40 [0169] Fig. 12 shows the data structure of a terminal 
ID in embodiment 2. 

[0170] In Fig. 12 is shown an exemplary structure in 
which a terminal ID is set to be 128 bits, so that it can 
be corresponded to hundreds of millions of terminal or 

45 more in a content key distribution system. 

[0171] The terminal ID is constituted by a 32-bit man- 
ufacturer ID field 301, a 32-bit product ID field 302, a 
32-bit product version ID field 303, and a 32-bit serial 
number field 304. 

50 [0172] Here, in manufacturer ID field 301 is stored a 
manufacturer ID that is for identifying a manufacturer 
that made a content playback device. 
[0173] In product ID field 302 Is stored a product ID 
that is for identifying products of the manufacturer de- 

55 termined by the manufacturer ID. 

[0174] In product version ID field 303 is stored a prod- 
uct version ID that shows a version number which is up- 
dated whenever there is a form change or the like in re- 
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tation to a product determined by a product ID. 
[0175] In serial number field 304 is stored a serial 
number consigned to discrete products. 

TRL Structure 5 

[01 76] Fig. 1 3 shows a data structure of a TRL in em- 
bodiment 2. 

[0177] In Fig. 13 is shown an exemplary data structure 
of a TRL corresponding to when the number of terminals 
is in the hundreds of millions or more. 
[01 78] As shown in Fig. 1 3, the TRL is structured from 
8-bit version information 310, 128-bit issuer information 
320, a 128-bit invalidated terminal number 330. ID-re- 
lated information 340, and 320-bit signature information 
350. 

[0179] Version information 310 is information showing 
a version number of the TRL, and the version number 
is changed every time, for example, a TRL having dif- 
ferent content is newly generated. 
[0180] Issuer information 320 is information showing 
an issuance origin of a TRL. 

[0181] Invalidated terminal number 330 is the number 
of invalidated terminals. 

[0182] ID-related information 340 includes one or a 
plurality of sets of 128-bit IDs 342 and 8-bit mask bits 
343. and an entry number 341 showing the number of 
sets. If the number of sets is given as N, a value shown 
by entry number 341 will be N. 

[01 83] Here, mask bit 343 takes a value from 1 to 1 28. 
Also, if the value of mask bit 343 is given as X, it is pos- 
sible to derive mask data having a form that shows the 
high order X bits in a 128-bit bit string to be "1" and any 
remaining low order bits to all be "0". 
[0184] Furthermore, ID 342 forming a set with mask 
bit 343 is data in which only a content of the number of 
bit digits, from an MSB in the 128-bit bit string structuring 
the ID. whose value is shown by mask bit 343, are use- 
ful, and in which other values are, for example, "0". 
[01 85] All of the terminal IDs whose high order X bits, 
expressed by value X of mask bit 343, match a value of 
ID 342 (i.e. the terminal IDs of 2''28-x number of invali- 
dated terminals) are shown by the set of ID 342 and 
mask bit 343. 

[01 86] Signature information 350 is a so-called digital 
signature created to reflect an entirety of version infor- 
mation 310, issuer information 320, invalidated terminal 
number 330, and ID-related information 340. 

TRL Data Generation Processing 

[0187] Fig. 14 is a flowchart showing TRL data gener- 
ation processing, which is a part of the TRL generation/ 
transmission processing conducted by management 
device 110 in embodiment 2. 

[0188] A terminal ID is described here as being an N- 
bit. N is, for example, 128 bits. 
[0189] TRL generation unit 112 in management de- 



vice 110 conducts TRL data generation processing after 
acquiring terminal IDs related to invalidated terminals 
from invalidated-terminal ID acquisition unit 111 (see 
Fig.5). 

[0190] First, TRL generation unit 112 stores the ac- 
quired terminal IDs in a ID working area which is an area 
on a storage medium such as a memory or the like (step 
S301), stores two pieces of 1-bit bit data "0" and "1" in 
a bit working area which is an area on a storage medium 
such as a memory or the like (step S302). and sets "1" 
in variable X (step S303). 

[0191] Next, TRL generation unit 112 focuses on a 
piece of X-bit bit data in the bit working area that has 
not been focused on (step 8304), and counts the 
number of terminal IDs stored in the ID working area 
that satisfy a condition that the high order X bits match 
the bit data currently being focused on (step S305). 
[0192] When the counted number in step S305 is 
2(N-x) (step S306) , TRL generation unit 112 deletes the 
terminal IDs satisfying the condition in step 8305 (step 
S307), and with respect to the terminal IDs satisfying 
the condition, determines the value of variable X as a 
mask bit, and determines an /V-bit bit string having the 
high order X bits set to be the same as the bit data cur- 
rently being focused on and the remaining bits set to "0" 
as an ID. retains the determined mask bit and ID as a 
set in an area of a storage medium such as a memory 
or the like (step S308), and conducts the step S309 judg- 
ment. 

[01 93] When the counted number in step 3305 is 0 or 
1 (step S306). TRL generation unit 112 skips steps S307 
and S308, and conducts the step 8309 judgment. 
[0194] In the case that the counted number in step 
S305 is not any of 2(n-x), o or 1 (step S306). if two or 
more of the temninal IDs satisfying the condition in step 
S305 have an X+1«h bit from the MSB that is "0". TRL 
generation unit 112 stores, in the bit working area, bit 
data formed by adding a 1-bit "0" to the low order of the 
bit data being focused on (step S3 10), and if two or more 
of the terminal ID satisfying the condition have an X+1*^ 
bit from the MSB that is "1", TRL generation unit 112 
stores, in the bit working area, bit data formed by adding 
a 1-bit "r to the low order of the bit data being focused 
on (step S311). and conducts the step S309 judgment 
[0195] In step S309. TRL generation unit 112 judges 
whether there exists a piece of X-bit bit data that has yet 
to be focused on, and when there exists a piece of X-bit 
bit data yet to be focused on (S309 = YES), TRL gen- 
eration unit 112 returns to step S304, and conducts 
processing to focus on the next piece of bit data, and 
when there does not exist a piece of X-bit bit data yet to 
be focused on (S309 = NO). TRL generation unit 112 
increases variable X by "1" (step S312). and judges 
whether variable X equals N (step S313). 
[0196] When variable X does not equal N (S313 = 
NO), TRL generation unit 112 returns to step S304, and 
conducts processing to focus on the next piece of bit 
data, and when variable X equals A/ (S3 13 = YES) . and 
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if there remain terminal IDs in the ID working area, TRL 
generation unit 112, with respect to the remaining ter- 
minal IDs, stores sets in which A/ is a mask bit and a 
remaining terminal ID is an ID, in an area of a storage 
medium such as a memory or the like (step S3 14), thus 
ending the TRL data generation processing. 
[0197] Here, in embodiment 2, the TRL construction 
shown in step S23 of Fig. 5 is executed by adding, in 
addition to a version, issuer information, an invalidated- 
terminal number and signature information, an entry 
number to the one or plurality of sets of mask bits and 
IDs retained in an area of a storage medium as a result 
of the above TRL data generation processing. 
[0198] Fig. 15 shows exemplary content of a TRL. 
[0199] In Fig. 15 is shown exemplary content of a TRL 
which has the data items shown in Fig. 13, and in which 
terminal IDs are 4'bit bit strings, and mask bits are 2-bit 
data expressing "1" to "4". 

[0200] The terminal IDs of all invalidated terminals ex- 
pressed by the ID-related information shown as an ex- 
ample in Fig. 15 are the same as the terminal IDs of all 
invalidated terminals expressed by the ID-retated infor- 
mation shown as an example in Fig.9. 

TRL Collation Processing 

[0201] Fig. 16 is a flowchart showing TRL collation 
processing, which is a part of the content key transmis- 
sion processing conducted by content key distribution 
device 120 in embodiment 2. 

[0202] Collation unit 126 in content key distribution 
device 120 conducts TRL collation processing every 
time a terminal ID sent from a terminal is obtained by 
transmission request reception unit 125. 
[0203] Collation unit 126 checks whether a terminal 
ID sent from a terminal matches a terminal ID shown by 
one of the sets of IDs and mask bits in ID-related infor- 
mation in the TRL (steps S32 1-324). 
[0204] More specifically, collation unit 1 26 focuses on 
a mask bit in the TRL that has yet to be focused on, 
derives mask data corresponding to a value of the mask 
bit as described above (step S321), computes a bitwise 
AND of the terminal ID sent from the terminal and the 
derived mask data (step S322), judges whether the 
computed AND matches an ID 342 in a set with the mask 
bit 343 being focused on (step S323), and if matched, 
judges the terminal ID acquired from the terminal to be 
the terminal ID of an invalidated terminal (step S326), 
and ends the collation processing. 
[0205] If not matched in step S323 (S323 = NO), col- 
lation unit 126 judges whether all of the mask bits 343 
in the TRL have been focused on and had the step S321 
to S323 processing conducted (step S324), and if all of 
the mask bits 343 have not been focused on and had 
the step S321 to S323 processing conducted (S324 = 
NO), collation unit 126 returns to step S321, focuses on 
a mask bit that has yet to be focused on and conducts 
processing. 



[0206] If judged in step S324 that the processing has 
been completed for ail the mask bits (S324 = YES), col- 
lation unit 126 judges the terminal ID acquired from the 
terminal to not be the terminal ID of an invalidated ter- 
5 minal (step S325), and ends the TRL collation process- 
ing. 

Observations 

10 [0207] In the content key distribution system shown 
in embodiment 2, terminal IDs have a data structure 
such as that shown in Fig. 12. and thus when all content 
playback devices having a specific version of a product 
made by a certain manufacturer mounted therein, it is 

15 possible for a management device to generate a TRL 
that specifies, using a small data volume, all content 
playback devices in which only the serial number field 
of the terminal IDs held within the device differ, and to 
transmit the generated TRL to a content key distribution 

20 device. 

[0208] This TRL would include as ID-related informa- 
tion, only a set of (i) mask bit 343 whose value is, for 
example, set to "96" and (ii) ID 342 that is a bit string 
specifying a manufacturer, a product and a version, and 
25 In which the serial number is set to "0". 

Embodiment 3 

[0209] The following description relates to a content 
30 key distribution system according to an embodiment 3. 
[0210] The content key distribution system according 
to an embodiment 3 includes basically the same system 
structure as content key distribution system 100 shown 
in embodiment 1 , and conducts basically the same sys- 
35 tern operations. Consequently, the various devices are 
shown using the same reference numbering as in Fig.l 
and the like, and a description of parts that are the same 
as embodiment 1 have been omitted. 
[0211] In embodiment 3, a data structure of terminal 
40 IDs is the same structure as that shown in embodiment 
2. Also, a data structure of a TRL is different to that 
shown in embodiment 1, and adds a few extra data 
items to the TRL in embodiment 2. For this reason, man- 
agement device 110 conducts TRL data generation 
45 processing that differs slightly from the TRL data gen- 
eration processing shown in embodiment 2, and content 
key distribution device 120 conducts TRL collation 
processing that differs slightly from the TRL collation 
processing shown in embodiment 2. 

50 

TRL Structure 

[021 2] Fig. 1 7 shows a data structure of a TRL in em- 
bodiment 3. 

55 [0213] In Fig. 17 is shown an exemplary data structure 
of a TRL corresponding to when the number of terminals 
is in the hundreds of millions or more. 
[0214] As shown in Fig. 17, the TRL is structured from 
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8-bit version information 410, 128-bit issuer information 
420, a 128-bit invalidated terminal number 430, ID-re- 
lated infonmatlon 440, and 320-bit signature infonnation 
450. 

[0215] Version information 410, issuer information 
420 and invalidated terminal number 430 are the same 
as version information 310, issuer information 320 and 
Invalidated terminal number 330 shown In embodiment 
2. 

[0216] ID-related information 440 is the same as ID- 
related Information 340 shown In embodiment 2 to the 
extent that it includes one or a plurality of sets of 128-blt 
IDs 342 and 8-bit mask bits 343, and an entry number 
441 showing the number of sets. However, ID-related 
information 440 further includes one or a plurality of 
128-bit exception IDs 445 and an exception entry 
number 444 showing the number of exception IDs. If the 
number of exception IDs is given as M, a value shown 
by exception entry number 444 will be M. 
[021 7] Here, an exception ID 445 is the tenninal ID of 
a terminal that is not invalidated. 
[0218] In ID-related infonnation 440, the terminal IDs 
of a plurality of terminal are expressed generically by a 
set of ID 442 and mask bit 443. and terminal IDs ex- 
pressed by the set that are not invalidated-terminal IDs 
are shown by an exception ID 445. 
[0219] Consider an example in which each terminal 
ID is 4 bits, the terminals number 0 to 1 5, and all of ter- 
minals 8 to 15 except for terminal 10 are invalidated. A 
content of ID-related information 440 in this case will be 
formed by a set of an ID 442 "1000" and a mask bit 443 
of value "1", and an exception ID 445 "1010". 
[0220] Signature information 450 is a so-called digital 
signature created to reflect an entirety of version infor- 
mation 410, issuer information 420, invalidated terminal 
number 430. and ID-related information 440. 

TRL Data Generation Processing 

[0221] Fig. 18 is a flowchart showing TRL data gener- 
ation processing, which is a part of the TRL generation/ 
transmission processing conducted by management 
device 110 in embodiment 3. 
[0222] A terminal ID is described here as being an 
bit N is, for example, 128 bits. 

[0223] TRL generation unit 112 in management de- 
vice 110 conducts TRL data generation processing after 
acquiring terminal IDs related to invalidated terminals 
from invalidated-terminal ID acquisition unit 111 (see 
Fig.5). 

[0224] First, TRL generation unit 112 stores the ac- 
quired terminal IDs in a ID working area which is an area 
on a storage medium such as a memory or the like (step 
S401), and with respect to a terminal ID, among the ter- 
minal IDs in the ID working area, for which there does 
not exist a terminal ID whose LSB only differs, TRL gen- 
eration unit 112 generates and stores the terminal ID 
whose LSB only differs in the ID working area, and re- 



tains the generated terminal ID as an exception ID (step 
S402). 

[0225] TRL generation unit 112 then stores two pieces 
of 1-bit bit data "0" and "1" in a bit working area which 
5 is an area on a storage medium such as a memory or 
the like (step S403), and sets "1" in variable X (step 
S404). 

[0226] Following step S404, TRL generation unit 112 
focuses on a piece of X-bit bit data in the bit working 
area that has not been focused on (step S405), and 
counts the number of terminal IDs stored in the ID work- 
ing area that satisfy a condition that the high order X bits 
match the bit data currently being focused on (step 
S406). 

15 [0227] When the counted number in step S406 is 
2(N-X) (step S407), TRL generation unit 112 deletes the 
terminal IDs satisfying the condition in step S406 (step 
S408), and with respect to the terminal IDs satisfying 
the condition, determines the value of variable X as a 

20 mask bit, and determines an A/-bit bit string having the 
high order X bits set to be the same as the bit data cur- 
rently being focused on and the remaining bits set to "0" 
as an ID, retains the determined mask bit and ID as a 
set in an area of a storage medium such as a memory 

25 or the like (step S409), and conducts the step S41 ©judg- 
ment. 

[0228] In the case that the counted number in step 
S406 is not 2(n-x) (step S407), if two or more of the ter- 
minal IDs satisfying the condition in step S406 have an 

30 x+l**' bit from the MSB that is "0", TRL generation unit 
112 stores, in the bit working area, bit data formed by 
adding a 1-bit "0" to the low order of the bit data being 
focused on (step S411), and if two or more of the termi- 
nal ID satisfying the condition have an X-^1^ bit from the 

35 MSB that is "1", TRL generation unit 112 stores, in the 
bit working area, bit data formed by adding a 1-bit "1" to 
the low order of the bit data being focused on (step 
S412), and conducts the step S410 judgment. 
[0229] In step S410, TRL generation unit 112 judges 

40 whether there exists a piece of X-bit bit data that has yet 
to be focused on, and when there exists a piece of X-bit 
bit data yet to be focused on (S410 = YES), TRL gen- 
eration unit 112 returns to step S405, and conducts 
processing to focus on the next piece of bit data, and 

45 when there does not exist a piece of X-bit bit data yet to 
be focused on (S41 0 = NO), increases variable X by "1 " 
(step S413), and judges whether variable X equals N 
(step S414). 

[0230] When variable X does not equal N (S414 = 
50 NO), TRL generation unit 112 returns to step S405, and 
conducts processing to focus on the next piece of bit 
data, and when variable X equals A/ (S4 14 = YES), TRL 
generation unit 112 ends the TRL data generation 
processing. 

55 [0231] Here, in embodiment 3, the TRL construction 
shown in step S23 of Fig.5 is executed by adding, in 
addition to a version, issuer information, an invalidated- 
terminal number and signature information, an entry 
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number to the one or plurality of sets of mask bits and 
IDs retained In an area of a storage medium as a result 
of the above TRL data generation processing, and an 
entry number to the exception ID. 

TRL Cotlation Processing 

[0232] Fig. 19 is a flowchart showing TRL collation 
processing, which is a part of the content key transmis- 
sion processing conducted by content key distribution 
device 120 in embodiment 3. 

[0233] Collation unit 126 in content key distribution 
device 120 conducts TRL collation processing every 
time a terminal ID sent from a terminal is obtained by 
transmission request reception unit 125. 
[0234] Collation unit 126 checks whether a terminal 
ID sent from a terminal matches a terminal ID shown by 
one of the sets of IDs and mask bits in ID-related infor- 
mation in the TRL (steps S42 1-424). 
[0235] More specifically, collation unit 1 26 focuses on 
a mask bit in the TRL that has yet to be focused on, 
derives mask data corresponding to a value of the mask 
bit as described above (step S421), computes a bitwise 
AND of the terminal ID sent from the terminal and the 
derived mask data (step S422), and judges whether the 
computed AND matches an ID 342 in a set with the mask 
bit 343 being focused on (step S423). 
[0236] If judged in step S423 to be a matched (S423 
= YES), collation unit 126 checks whether the terminal 
ID sent from the terminal matches an exception ID in the 
TRL (step S426), and if not matched (S426 = NO) , judg- 
es the terminal ID acquired from the terminal to be the 
terminal ID of an invalidated terminal (step S427), and 
ends the collation processing. If judged In step S426 to 
be a matched (S426 = YES), collation unit 126, judges 
the terminal ID acquired from the terminal to not be the 
terminal ID of an invalidated terminal (step S425), and 
ends the collation processing. 

[0237] If judged in step S423 that the computed AND 
does not match the ID 342 in the set with the mask bit 
343 being focused on (S423 = NO), collation unit 126 
judges whether all of the mask bits 343 in the TRL have 
been focused on and had the step S421 to S423 
processing conducted (step S424), and if all of the mask 
bits 343 have not been focused on and had the step 
S421 to S423 processing conducted (S424 = NO), col- 
lation unit 126 returns to step S421, focuses on a mask 
bit that has yet to be focused on and conducts process- 
ing. 

[0238] If judged in step S424 that the processing has 
been completed for all the mask bits (S424 = YES), col- 
lation unit 126 judges the terminal ID acquired from the 
terminal to not be the terminal ID of an invalidated ter- 
minal (step S425), and ends the TRL collation process- 
ing. 



Observations 

[0239] According to the content key distribution sys- 
tem shown in embodiment 3, if, for example, a couple 

5 of dozen terminals having consecutive serial numbers 
and whose terminal IDs have bit strings in which a 
number of high order digits are the same, are all invali- 
dated terminals except for a few, it is possible to specify 
invalidated terminals using a TRL in which the IDs that 

10 include bit strings having the same value digits are de- 
termined as IDs in the ID-related information of the TRL, 
a value showing the number of digits of the sections that 
are the same is determined as a mask bit forming a set 
with the ID, and terminal IDs relating to the few terminals 

15 that are not invalidated are determined as exception I Ds 
in the ID-related information. As a result, it is possible 
to suppress to data volume of a TRL. 

Embodiment 4 

20 

[0240] The following describes a content distribution 
system according to an embodiment 4, 
[0241] Fig. 20 is a structural diagram of a content key 
distribution system according to embodiment 4 of the 
25 present invention. 

[0242] In comparison with management device 1 1 0 in 
content key distribution system 100 shown in embodi- 
ment 1 . which was for transmitting a TRL to content key 
distribution device 120 via a communication channel, in 
30 content key distribution system 500 according to em- 
bodiment 4, a management device 510 is structured to 
store a TRL on a storage medium 501 such as an optical 
magnetic disk or the like, and a content key distribution 
device 520 is structured to read the TRL from storage 
35 medium 501. 

[0243] In Fig. 20, elements that are basically the same 
as those in embodiment 1 (see Fig.1) are shown using 
Uie same reference numbering, and a detailed descrip- 
tion of these elements is omitted here. 
40 [0244] Management device 510 is, for example, a 
computer or the like installed in an organization that con- 
ducts operations relating to the protection of the copy- 
right and the like of content, and conducts processing 
to generate a TRL that has as main content, information 
45 for specifying all terminals with respect to which protec- 
tion of copyright and the like can no longer be guaran- 
teed due to a decryption key stored therein having been 
disclosed (i.e. all terminals to which an encrypted con- 
tent key should not be distributed), and for storing the 
50 generated TRL on a storage medium. Management de- 
vice 510 includes invalidated-terminal ID acquisition unit 
111, TRL generation unit 112, and a TRL storage unit 
513, and is capable of mounting storage medium 501, 
which is an optical magnetic disk or the like. 
55 [0245] Here, TRL generation unit 112 functions to 
generate a TRL whose main content is information 
specifying invalidated terminals, based on the terminal 
IDs provided by invalidated-terminal ID acquisition unit 
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111, and to convey the generated TRL to TRL storage 
unit 513. 

[0246] TRL storage unit 513 functions to store a TRL 
conveyed from TRL generation unit 112 on storage me- 
dium 501 mounted in management device 510. 
[0247] Management device 510 conducts TRL gener- 
ation/transmission processing in which step S24 shown 
In Fig. 5 is replaced by processing to record a TRL on 
a storage medium. 

[0248] Storage medium 501 having a TRL stored 
therein by management device 510 is delivered to con- 
tent key distribution device 520. For example, every time 
a TRL having new content is generated, the TRL may 
be stored on a storage medium, and delivered to a con- 
tent key distribution device. 

[0249] Content key distribution device 520 is a com- 
puter for conducting content key distribution processing 
that involves transmitting an encrypted content key to 
terminals from which a transmission request for a con- 
tent key has been received, so long as the terminal is 
not an invalidated terminal. Functionally, content key 
distribution device 520 includes TRL storage unit 121, 
a TRL reading unit 522, content key storage unit 123, 
encryption key storage unit 124, transmission request 
reception unit 125, collation unit 126, encryption unit 
127, and encrypted content key transmitting unit 128, 
and is capable of mounting storage medium 501 (eg. 
optical magnetic disk, etc.). 

[0250] Here. TRL reading unit 522 functions to read 
a TRL from storage medium 501 mounted in content key 
distribution device 520, and to store the read TRL in TRL 

storage unit 121, 

[0251] Consequently, in content key distribution sys- 
tem 500, management device 510 and content key dis- 
tribution device 520 can realize transfer, even when not 
connected by a communication channel. 
[0252] A TRL employed in embodiment 4 may be a 
TRL as shown in any of embodiments 1 to 3, and the 
content key distribution device may be structured to con- 
duct TRL collation processing and the like as required 
by the structure of the TRL. 

Supplementary Matters 

[0253] An encryption communications system ac- 
cording to the present invention is described above in 
embodiments 1 to 4 when applied as a content key dis- 
tribution system. The present invention is, however, not 
limited to embodiments such as these. More specifical- 
ly: 

(1) In embodiments 1 to 3, a communication chan- 
nel is shown for distributing a TRL between a man- 
agement device and a content key distribution de- 
vice, and in embodiment 4, a storage medium is 
shown for use in delivering a TRL, However, a TRL 
may be transferred between a management device 
and a content key distribution device using a com- 



bination of a communication channel and a storage 
medium. For example, a TRL may be delivered on 
a storage medium from a management device to a 
separate communications device, and the TRL may 
5 be distributed from the communications device to a 
content key distribution device via a communication 
channel. 

(2) A content playback device shown in the above 
10 embodiments is not necessarily required to send a 

transmission request to a content key distribution 
device after acquiring encrypted content, and may. 
for example, acquire and conduct playback of en- 
crypted content after acquiring a content key. 

15 

(3) Each content playback device shown in the 
above embodiments is structure to hold a decryp- 
tion key unique to the content playback device, and 
a content key distribution device is structured to 

20 hold encryption keys that correlate one-to-one with 
the decryption keys. However, a content playback 
device may be structured to have a plurality of de- 
cryption keys, and to include, in the transmission 
request sent to a content key distribution device, a 

25 . decryption key ID for identifying a decryption key. 
Furthermore, the content key distribution device 
may hold, in correspondence with the decryption 
key IDs, encryption keys correlating with all of the 
decryption keys, and may transmit a content key to 

30 the content playback device using an encryption 
key corresponding to the sent decryption key ID. In 
this case, it is preferable to structure the system 
such that, instead of terminal IDs of invalidated ter- 
minals, decryption key IDs corresponding to de- 

35 cryption keys to be invalidated are specify by ID- 
related information in a TRL such as shown in the 
embodiments, and that in the TRL processing and 
the like, decryption keys are targeted for collation 
rather than terminal IDs. 

40 Furthermore, decryption keys and decryption 

key IDs may be stored on an IC card or the like that 
is mountable in a content playback device. 

(4) In embodiment 1 to 3, TRL generation unit 112 
45 in the management device automatically generates 

a TRL by TRL data generation processing (Figs.1 0, 
14, 18) and the like. However, an algorithm for gen- 
erating the ID-related information in a TRL is not lim- 
ited to this. Furthermore, a TRL may be generated 
so by receiving an input operation from an operator or 
the like, or a TRL generated in an external device 
may be distributed by TRL transmitting unit 113 after 
being acquired from within the management device. 

55 Furthermore, a plurality of management devic- 

es may exist in a content key distribution system, 
and a TRL may be sent from one management de- 
vice to another management device. Furthermore, 
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a management device may conduct the transmis- 
sion of a TRL when a request is sent to the man- 
agement device from a content key distribution de- 
vice, and a content key distribution device may re* 
quest a management device to sent a TRL period- 5 
ically or when there is a transmission request from 
a terminal. 

(5) A content of the data structure of terminal IDs 
shown in embodiment 2 does not necessarily have io 
to be as shown in Fig. 12. However, it is possible to 
reduce the data volume of a TRL when, for exam- 
ple, all of the terminals from a particular manufac- 
turer are invalidated terminals, by having bit strings 
expressing a manufacturer, product and the like in- is 
eluded in terminal IDs. 

Furthermore, in embodiment 2, an example is 
given which defines terminal IDs as expressing 
manufacturer IDs by high order bit strings. Howev- 
er, terminal IDs may be defined as expressing man- 20 
ufacturer IDs by low order bit strings In a terminal 
ID, or as expressing manufacturer IDs by interme- 
diate bit strings between high and low order bit 
strings. 

25 

(6) Although a mask bit in ID-related information in 
a TRL shown in embodiment 2 is, for example, 
fixed-length data of 8 bits or the like, the mask bit 
may be variable-length data and paired with infor- 
mation showing the data length. 30 

(7) In relation to ID-related information obtained as 
a result of the TRL data generation processing 
shown in embodiment 3, when a terminal ID is 128 
bits, and the ID-related information includes an ex- 35 
ception ID and a set having an ID whose LSB is "0" 
and a mask bit of "127", the set and the exception 

ID may be deleted, and a set added to the I D-related 
information that has mask bit of "128" and a bit 
string obtained by inverting the LSB of the exception 40 
ID as an ID. 

Furthermore, in embodiment 3, each exception 
ID is described as showing a single terminal ID, al- 
though instead of the exception ID shown in Fig. 17, 
exception group information that includes one or a 45 
plurality of sets of exception IDs and exception 
mask bits may be included in the ID-related infor- 
mation of a TRL. In other words, the ID-related in- 
formation may be structured such that all terminal 
IDs except for the terminal IDs shown by the excep- 50 
tion ID/exception mask bit sets are the terminal IDs 
of invalidated terminals. 

(8) In embodiments 1 to 4, an example is given of 

an encryption communications system according to 55 
the present invention being applied in a content key 
distribution system. However, if the communica- 
tions system is one that receives terminal IDs from 



terminals, judges whether or not those terminals are 
invalidated terminals, and determines whether or 
not to execute some sort of communication 
processing depending on the judgment result, then 
the communication processing content is not espe- 
cially limited to transmitting encrypted content keys. 
For example, it is acceptable to determine, depend- 
ing on the result of the judgment as to whether a 
terminal is invalidated, whether to execute process- 
ing for receiving Important data sent from the termi- 
nal after being encrypted by performing an encryp- 
tion unique to the terminal. 

(9) A computer program for having a computer or 
the like execute the processing procedures of the 
content key distribution system shown in embodi- 
ments 1 to 3 (i.e. the procedures shown in Figs. 
5-7, 10, 11, 14. 16. 18. 19, etc.) can be distributed 
by being stored on a storage medium or be being 
circulated via any of a variety of communication 
channels or the like. The storage medium may be 
an IC card, an optical disk, a flexible disk, a ROM. 
or the like. A computer program distributed by cir- 
culation via a communication channel or the like 
may be submitted for use by being installed or the 
like in a computer or the like, and the computer or 
the like can conduct processing such as that shown 
in embodiments 1 to 3 by executing the computer 
program. 

INDUSTRIAL APPLICABILITY 

[0254] The encryption communications system of the 
present invention is applicable as. for example, a con- 
tent key distribution system constituted by a plurality of 
terminals, computers, or the like, for providing the cop- 
yright protection of digital content 



Claims 

1. An encryption communications system comprising 
an encryption communications device, a plurality of 
terminals that are each operable to transmit to the 
encryption communications device an identifier, 
which is a bit string having a predetermined number 
of bits for Identifying the terminal, and a manage- 
ment device that generates invalldated-terminal in- 
formation showing one or more of the identifiers as 
information specifying one or more terminals to be 
invalidated, wherein 

the management device has: 

an invalidated-terminal information generation 
unit operable to generate the invalidated-termi- 
nal information using a data format that gener- 
ically expresses, by information specifying a 
value of a section in a bit string having the pre- 
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determined number of bits, at! identifiers in 
which a value of the section matches the spec- 
ified value; and 

an output unit operable to output the generated 
invalidated-terminal information, and s 
the encryption communications device has: 

an invalidated-terminal information acqui- 
sition unit operable to acquire the invalidat- 
ed-terminal information outputted by the io 
management device; 

an identifier receiving unit operable, when 
an identifier is transmitted from one of the 
terminals, to receive the identifier; 
a judging unit operable to judge whether 15 
the received identifier matches any of the 
one or more identifiers shown by the inval- 
idated-terminal information as information 
specifying one or more terminals to be in- 
validated; and 20 
a communication unit operable (i) when 
judged to not be any matches, to conduct 
a predetermined communication with the 
terminal that transmitted the identifier, by 
performing an encryption unique to the ter- 25 
minal, and (ii) when judged to be a match, 
to not conduct the predetermined commu- 
nication with the terminal. 

2. The encryption communications system of claim 1 . 30 
wherein 

the invalidated-terminal information (i) in- 
cludes one or more sets of corresponded value and 
position information, each piece of value informa- 
tion showing a value of a section of a bit string hav- 35 
ing the predetermined number of bits, and a corre- 
sponding piece of position information being for 
specifying a bit position of the section in the bit 
string, and (ii) is information specifying, as a termi- 
nal to be invalidated, all terminals identified respec- 40 
tively by all identifiers in which a value of a partial 
bit string located in a bit position specified by a piece 
of position Information matches a value shown by a 
piece of value information corresponding to the 
piece of position information, and 45 

the judging unit (i) verifies, for each piece of 
position information, whether a value, in the re- 
ceived identifier, of a partial bit string located in a bit 
position specified by the piece of position informa- 
tion matches a value shown by a piece of value in- so 
formation corresponding to the piece of position in- 
formation, and (ii) judges, when verified that there 
is at least one match, that the received identifier 
matches an identifier shown by the invalidated-ter- 
minal information. 55 

3. The encryption communications system of claim 1 , 
wherein 



the invalidated-terminal information (i) in- 
cludes one or more sets of corresponded represent- 
ative information and mask flags, each piece of rep- 
resentative information being a bit string having the 
predetermined number of bits, and a corresponding 
mask flag having the predetermined number of bits, 
and (ii) is information specifying, as a terminal to be 
invalidated, all terminals identified by identifiers in 
which a value of a section having a bit value of "1" 
in a mask flag matches a value of the section in a 
piece of representative information corresponding 
to the mask flag, and 

the judging unit (i) verifies, for each mask flag, 
whether an AND of the mask flag and the received 
identifier matches an AND of the mask flag and a 
piece of representative information corresponding 
to the mask flag, and (ii) judges, when verified that 
there is at least one match, that the received iden- 
tifier matches an identifier shown by the invalidated- 
terminal information. 

4. The encryption communications system of claim 3. 
wherein 

the invalidated-terminal information genera- 
tion unit generates isolated-value information for in- 
cluding in the invalidated-terminal information, each 
piece of isolated-value information having the pre- 
determined number of bits. 

the invalidated-terminal information is infor- 
mation further specifying, as a terminal to be inval- 
idated, terminals identified by identifiers that match 
a piece of isolated-value information, and 

the judging unit further judges, when the re- 
ceived identifier matches a piece of isolated-value 
information, that the received identifier matches an 
identifier shown by the invalidated-terminal infor- 
mation. 

5. The encryption communications system of claim 1 , 
wherein 

the invalidated-terminal information (i) in- 
cludes one or more sets of corresponded signifi- 
cant-digit and value information, each piece of sig- 
nificant-digit information showing a number of bit 
digits, and a corresponding piece of value informa- 
tion showing a value of a bit string having the 
number of bit digits, and (ii) is information specify- 
ing, as a terminal to be invalidated, all terminals 
identified by identifiers in which a value of a bit string ^ 
having, from a most significant bit, a number of bit 
digits shown by a piece of significant-digit informa- 
tion matches a value shown by a piece of value in- 
formation corresponding to the piece of significant- 
digit information, and 

the judging unit (i) verifies, for each piece of 
significant-digit information, whether, in the re- 
ceived identifier, a value of a bit string having, from 
a most significant bit, a number of bit digits shown 
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by the piece of significant-digit information matches 
a value shown by a piece of value information cor- 
responding to the piece of significant-digit informa- 
tion, and (ii) judges, when verified that there is at 
least one match, that the received identifier match- 
es an identifier shown by the invalidated-terminal 
information. 

6. The encryption communications system of claim 5, 
wherein 

the management device has an identifier ac- 
quisition unit operable to acquire the identifiers of 
all terminals to be invalidated, and 

the invalidated-terminal information genera- 
tion unit (i) specifies one or more X values satisfying 
a condition that, out of the identifiers acquired by 
the identifier acquisition unit, the number of identi- 
fiers which have matching X number of bits from a 
most significant bit is 2(^-^, and (ii) generates the 
Invalidated-terminal information using a data format 
that generically expresses, for each X value, the 
2(W-^ identifiers by significant-digit information 
showing the X number of bit digits, and by value in- 
formation showing a value of a bit string of X bits 
from the most significant bit in the 2(^-^ identifiers, 
where N is the predetermined number of bits. 

7. The encryption communications system of claim 6, 
wherein 

each terminal is manufactured by one of a plu- 
rality of manufacturers, and 

an identifier identifying the terminal shows the 
manufacturer of the terminal by a bit string having 
a predetermined number of bits from a most signif- 
icant bit in the identifier. 

8. The encryption communications system of claim 7, 
wherein 

the identifier identifying the terminal shows a 
product type to which the terminal belongs, by a bit 
string having a predetermined number of bits that 
starts from an end of the bit string showing the man- 
ufacturer. 

9. The encryption communications system of claim 7, 
wherein 

each terminal holds a decryption key unique 
to the terminal, and is further operable to internally 
store encrypted content, which is content encrypted 
by a content key, 

the output unit conducts the output by trans- 
mitting the invalidated-terminal information to the 
encryption communications device, 

the encryption communications device has: 

an encryption key storage unit operable to store 
encryption keys that correlate one-to-one with 
the decryption keys of all of the terminals; and 



a content key storage unit operable to store the 
content key, 

the invalidated-terminal information acquisition 
unit conducts the acquisition by receiving the 
5 invalidated-terminal information transmitted by 

the output unit, 

the communication unit, when judged by the 
judging unit that the received identifier does not 
match any of the identifiers shown by the inval- 

fo idated-terminat information, encrypts the con- 

tent key using an encryption key that correlates 
with the decryption key unique to the terminal 
which transmitted the identifier, and transmits 
the encrypted content key to the terminal, and 

15 each terminal has: 

a decrypting unit operable to decrypt the 
encrypted content key transmitted from the 
encryption communications device, using 
20 the decryption key unique to the terminal; 

and 

a playback unit operable, when the en- 
crypted content is stored in the terminal, to 
decrypt the encrypted content using the 
25 decrypted content key, and to playback the 

decrypted content. 

10. The encryption communications system of claim 1, 
wherein 

30 the invalidated-terminal information (i) in- 

cludes one or more pieces of generic and exception 
information, each piece of generic Information 
specifying both a section in a bit string having the 
predetermined number of bits and a value of the 

35 section, and each piece of exception information 
having the predetermined number of bits, and (ii) is 
information specifying, as a terminal to be invalidat- 
ed, all terminals identified by identifiers in which a 
section specified by a piece of generic information 

40 matches a value specified by the piece of generic 
information, and which do not match a piece of ex- 
ception information, and 

the judging unit (i) verifies whether a section, 
in the received identifier, specified by a piece of ge- 

45 neric information matches a value specified by the 
piece of generic information, and (it) judges, when 
verified that there is a match, that the received iden- 
tifier matches an identifier shown by the invalidated- 
terminal information, except when the received 

50 identifier matches a piece of exception information. 

1 1 . The encryption communications system of claim 1 0, 
wherein 

the management device has an identifier ac- 
55 quisition unit operable to acquire the identifiers of 
all terminals to be invalidated, and 

the invalidated-terminal information genera- 
tion unit (i) determines, as the exception informa- 
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tion. an A/-bit bit string, obtained by inverting only a 
least significant bit of one of the identifiers acquired 
by the identifier acquisition unit, satisfying a first 
condition that the bit string not match any of the 
identifiers acquired by the identifier acquisition unit, 
(ii) provisionally designates the determined bit 
string as an identifier, (iii) specifies one or more X 
values satisfying a second condition that, out of the 
identifiers acquired by the identifier acquisition unit 
and the provisionally designated identifier, the 
number of identifiers which have matching X 
number of bits from a most significant bit is 2('^^, 
and (iv) generates the invalidated-terminal informa- 
tion by determining, as the generic information for 
each specified X value, information specifying the 
X value and a value of a bit string of X bits from the 
most significant bit in the 2(^-^ identifiers, where N 
is the predetermined number of bits and X is less 
than N. 

12. The encryption communications system of claim 1 1 , 
wherein 

each terminal is manufactured by one of a plu- 
rality of manufacturers, and 

an identifier identifying the terminal shows the 
manufacturer of the terminal by a bit string having 
a predetermined number of bits from a most signif- 
icant bit in the identifier. 

13. The encryption communications system of claim 12, 
wherein 

each terminal holds a decryption key unique 
to the terminal, and is further operable to internally 
store encrypted content, which is content encrypted 
by a content key, 

the output unit conducts the output by trans- 
mitting the invalidated-terminal information to the 
encryption communications device, 

the encryption communications device has: 



a decrypting unit operable to decrypt the 
encrypted content key transmitted from the 
encryption communications device, using 
the decryption key unique to the terminal; 
s and 

a playback unit operable, when the en- 
crypted content is stored in the terminal, to 
decrypt the encrypted content using the 
decrypted content key, and to playback the 
10 decrypted content. 

14. The encryption communications system of claim 1. 
wherein 

each terminal is manufactured by one of a plu- 
15 rality of manufacturers, and 

an identifier identifying the terminal shows the 
manufacturer of the terminal by a bit string having 
a predetermined range in the identifier. 

20 15. The encryption communications system of claim 1 , 
wherein each terminal holds a unique decryption 
key, 

the encryption communications device has an 
encryption key storage unit operable to store en- 
25 cryption keys that correlate one-to-one with the de- 
cryption keys of all of the terminals, 

the communication unit, when judged by the 
judging unit that the received identifier does not 
match any of the identifiers shown by the invalidat- 
30 ed-terminal information, encrypts communication 
data using an encryption key that correlates with the 
decryption key unique to the'terminal which trans- 
mitted the identifier, and transmits the encrypted 
communication data to the terminal, and 

the terminal decrypts the encrypted commu- 
nication data transmitted from the encryption com- 
munications device, using the decryption key 
unique to the terminal. 

16. The encryption communications system of claim 1, 
wherein 

the output unit conducts the output by trans- 
mitting the invalidated-terminal information to the 
encryption communications device, and 

the invalidated-terminal information acquisi- 
tion unit conducts the acquisition by receiving the 
invalidated-terminal information transmitted by the 
output unit. 

17. The encryption communications system of claim 1, 
wherein ^ 

the output unit has a mounting subunit oper- 
able to mount a storage medium, and conducts the 
output by storing the invalidated-terminal informa- 
tion on the mounted storage medium, and 

the invalidated-terminal information acquisi- 
tion unit is operable to mount the storage medium, 
and conducts the acquisition by reading the invali- 



an encryption key storage unit operable to store 
encryption keys that correlate one-to-one with 
the decryption keys of all of the terminals; and 
a content key storage unit operable to store the 
content key, 45 
the invalidated-terminal information acquisition 
unit conducts the acquisition by receiving the 
invalidated-terminal information transmitted by 
the output unit, 

the communication unit, when judged by the so 
judging unit that the received identifier does not 
match any of the identifiers shown by the inval- 
idated-terminal information, encrypts the con- 
tent key using an encryption key that correlates 
with the decryption key unique to the terminal 55 
which transmitted the identifier, and transmits 
the encrypted content key to the terminal, and 
each terminal has: 
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dated-terminal information from the mounted stor- 
age medium. 

18. A management device that generates invalidated- 
terminal information showing, out of a plurality of 
identifiers identifying a plurality of terminals, the 
identifiers of one or more terminals to be invalidat- 
ed, each identifier being a bit string having a prede- 
termined number of bits for identifying a different 
one of the terminals, comprising: 

an invalidated-terminal information generation 
unit operable to generate the invalidated-termi- 
nal Information using a data format that gener- 
ically expresses, by information specifying a 
value of a section in a bit string having the pre- 
determined number of bits, all identifiers in 
which a value of the section matches the spec- 
ified value; and 

an output unit operable to output the generated 
invalidated-terminal information. 

19. The management device of claim 18, wherein 

the invalidated-terminal information (i) in- 
cludes one or more sets of corresponded value and 
position information, each piece of value informa- 
tion showing a value of a section of a bit string hav- 
ing the predetermined number of bits, and a corre- 
sponding piece of position information being for 
specifying a bit position of the section in the bit 
string, and (ii) is information specifying, as a termi- 
nal to be Invalidated, all terminals identified respec- 
tively by all identifiers in which a value of a partial 
bit string located in a bit position specified by a piece 
of position information matches a value shown by a 
piece of value information corresponding to the 
piece of position information. 

20. The management device of claim 19, wherein 

each terminal is manufactured by one of a plu- 
rality of manufacturers, and 

an identifier identifying the terminal shows the 
manufacturer of the terminal by a bit string having 
a predetermined range in the identifier 

21. An encryption communications device for conduct- 
ing communications with a plurality of terminals, 
each of which holds an identifier, which is a bit string 
having a predetermined number of bits for identify- 
ing the terminal, comprising: 

an invalidated-terminal information acquisition 
unit operable to acquire, from an external 
source, invalidated-terminal information that 
shows the identifiers of one or more terminals 
as information for specifying one or more ter- 
minals to be invalidated, the invalidated-termi- 
nal information being structured using a data 



format that generically expresses, by informa- 
tion specifying a value of a section in a bit string 
having the predetermined number of bits, all 
identifiers In which a value of the section match- 

s es the specified value; 

an identifier receiving unit operable, when an 
identifier held by a terminal is transmitted from 
the terminal, to receive the identifier; 
a judging unit operable to judge whether the re- 

10 ceived identifier matches any of the one or 

more identifiers shown by the invalidated-ter- 
minal information as information specifying one 
or more terminals to be invalidated; and 
a communication unit operable (i) when Judged 

15 to not be any matches, to conduct a predeter- 

mined communication with the terminal that 
transmitted the identifier, by performing an en- 
cryption unique to the terminal, and (ii) when 
judged to be a match, to not conduct the pre- 

20 detemiined communication with the terminal. 

22. The encryption communications device of claim 21 , 

wherein 

the invalidated-terminal information (i) in- 

25 eludes one or more sets of corresponded value and 
position information, each piece of value informa- 
tion showing a value of a section of a bit string hav- 
ing the predetermined number of bits, and a corre- 
sponding piece of position information being for 

30 specifying a bit position of the section in the bit 
string, and (ii) is information specifying, as a termi- 
nal to be invalidated, all terminals identified respec- 
tively by all identifiers in which a value of a partial 
bit string located in a bit position specified by a piece 

35 of position information matches a value shown by a 
piece of value information corresponding to the 
piece of position information, and 

the judging unit (i) verifies, for each piece of 
position information, whether a value, in the re- 

40 ceived identifier, of a partial bit string located in a bit 
position specified by the piece of position informa- 
tion matches a value shown by a piece of value in- 
formation corresponding to the piece of position in- 
formation, and (ii) judges, when verified that there 

45 is at least one match, that the received identifier 
matches an identifier shown by the invalidated-ter- 
minal information. 

23. An information generation method that generates 
50 invalidated-terminal information for specifying one 

or more terminals to be invalidated out of a plurality 
of terminals, comprising: 

an identifier acquisition step of acquiring iden- 
55 tifiers of terminals to be invalidated, each iden- 

tifier being a bit string having a predetermined 
number of bits for identifying a different one of 
the terminals; and 
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an invalidated-terminal information generation 
step of generating the invalidated-terminal in- 
formation to show all of the identifiers acquired 
in the identifier acquisition step, using a data 
format that generically expresses, by informa- 
tion specifying a value of a section in a bit string 
having the predetermined number of bits, all 
identifiers in which a value of the section match- 
es the specified value. 

24. The information generation method of claim 23, 
wherein 

the invalidated-terminal information genera- 
tion step (i) specifies one or more X values satisfy- 
ing a condition that, out of the identifiers acquired 
Jn the identifier acquisition step, the number of iden- 
tifiers which have matching X number of bits from a 
most significant bit is 2('^^, and (ii) generates the 
invalidated-terminal information to be structured 
from sets, for each X value, of corresponded signif- 
icant-digit and value information, the significant-dig- 
it information showing theXnumber of bit digits, and 
the value information showing a value of a bit string 
of X bits from the most significant bit in the 2if^-^ 
identifiers, where A/ is the predetermined number of 
bits. 

25. The information generation method of claim 24, 
wherein 

each terminal is manufactured by one of a plu- 
rality of manufacturers, and 

an identifier identifying the terminal shows the 
manufacturer of the terminal by a bit string having 
a predetermined number of bits from a most signif- 
icant bit in the identifier. 

26. The information generation method of claim 23, 
wherein 

the invalidated-terminal information genera- 
tion step (i) determines, as exception information, 
an A/-bit bit string, obtained by inverting only a least 
significant bit of one of the identifiers acquired in the 
identifier acquisition step, satisfying a first condition 
that the bit string not match any of the identifiers 
acquired in the identifier acquisition step, (ii) provi- 
sionally designates the determined bit string as an 
identifier, (iii) specifies one or more X values satis- 
fying a second condition that, out of identifiers ac- 
quired in the identifier acquisition step and the pro- 
visionally designated identifier, the number of iden- 
tifiers which have matching X number of bits from a 
most significant bit is 2(^^, and (iv) generates the 
invalidated-terminal information to be structured 
from sets of corresponded values for each specified 
X value and the exception information, the corre- 
sponded values being the X value and a value of a 
bit string of X bits from the most significant bit in the 
2<'^-^ identifiers, where N is the predetermined 



number of bits and X is less than N. 

27. The information generation method of claim 26. 
wherein 

5 each terminal is manufactured by one of a plu- 

rality of manufacturers, and 

an identifier identifying the terminal shows the 
manufacturer of the terminal by a bit string having 
a predetermined number of bits from a most signif- 

10 icant bit in the identifier. 

28. A computer program for having a computer execute 
information generation processing that generates 
invalidated-terminal information specifying one or 

15 more terminals to be invalidated out of a plurality of 
terminals, the information generation processing in- 
cluding: 

an identifier acquisition step of acquiring iden- 
20 tifiers of terminals to be invalidated, each iden- 

tifier being a bit string having a predetermined 
number of bits for identifying a different one of 
the terminals; and 

an invalidated-terminal information generation 
25 step of generating the invalidated-terminal in- 

formation to show all of the identifiers acquired 
in the identifier acquisition step, using a data 
format that generically expresses, by informa- 
tion specifying a value of a section in a bit string 
30 having the predetermined number of bits, all 

identifiers in which a value of the section match- 
es the specified value. 

29. A storage medium storing a computer program for 
35 having a computer execute information generation 

processing that generates invalidated-terminal in- 
formation specifying one or more terminals to be in- 
validated out of a plurality of terminals, the informa- 
tion generation processing including: 

40 

an identifier acquisition step of acquiring iden- 
tifiers of terminals to be invalidated, each iden- 
tifier being a bit string having a predetermined 
number of bits for identifying a different one of 

45 the terminals; and 

an invalidated-terminal information generation 
step of generating the invalidated-terminal in- 
formation to show all of the identifiers acquired 
in the identitier acquisition step, using a data 

50 format that generically expresses, by informa- 

tion specifying a value of a section in a bit string 
having the predetermined number of bits, all 
identifiers in which a value of the section match- 
es the specified value. 

55 

30. A computer program for having a computer execute 
judgment processing that judges, based on an iden- 
tifier transmitted from one of a plurality of terminals, 
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whether the terminal is to be invalidated, the judg- 
ment processing including: 

an identifier receiving step of receiving an iden- 
tifier transmitted from one of the plurality of ter- 5 
minals. the identifier having a predetermined 
number of bits; 

an invalidated-terminal information acquisition 
step of acquiring invalidated-terminal informa- 
tion that specifies the identifiers of one or more 
terminals to be invalidated using a data format 
that generically expresses, by information 
specifying a value of a section in a bit string 
having the predetermined number of bits, all 
identifiers in which a value of the section match- 
es the specified value; and 
a judging step of judging whether the received 
identifier matches any of the identifiers speci- 
fied by the invalidated-terminal information. 

31. A storage medium storing a computer program for 
having a computer execute judgment processing 
that judges, based on an identifier transmitted from 
one of a plurality of terminals, whether the terminal 
is to be invalidated, the judgment processing includ- 
ing: 

an identifier receiving step of receiving an iden- 
tifier transmitted from one of the plurality of ter- 
minals, the identifier having a predetermined 
number of bits; 

an invalidated-terminal information acquisition 
step of acquiring invalidated-terminal informa- 
tion that specifies the identifiers of one or more 
terminals to be invalidated using a data format 
that generically expresses, by information 
specifying a value of a section in a bit string 
having the predetermined number of bits, all 
identifiers in which a value of the section match- 
es the specified value; and 
a judging step of judging whether the received 
identifier matches any of the identifiers speci- 
fied by the invalidated-terminal information. 

32. A computer-readable storage medium storing inval- 
idated-terminal data, wherein 

in order to specify, out of a plurality of identi- 
fiers that are bit strings having a predetermined 
number of bits for identifying a different one of a plu- 
rality of terminals, the identifiers of one or more ter- 
minals to be invalidated, the invalidated-terminal 
data (i) has an identifier-specifying field that stores 
section information for specifying a value of a sec- 
tion of a bit string having the predetermined number 
of bits, and (ii) generically expresses, by the section 
information, all identifiers in which a value of the 
section matches the specified value. 



33. The storage medium of claim 32, wherein 

the identifier-specifying field is structured to 
include one or more sets of corresponded value in- 
formation and position information fields, each val- 
ue information field storing value information show- 
ing a value of a section of a bit string having the 
predetermined number of bits, and a corresponding 
position information field storing position informa- 
tion for specifying a bit position of the section in the 
bit string, and 

the invalidated-terminal data is data specify- 
ing, as an identifier of a terminal to be invalidated, 
all identifiers in which a value of a partial bit string 
located in a bit position specified by a piece of po- 
sition information matches a value shown by a piece 
of value information stored in a value information 
field corresponding to a position information field in 
which the piece of position information is stored. 

34. The storage medium of claim 33, wherein 

each terminal is manufactured by one of a plu- 
rality of manufacturers, and 

an identifier identifying the temiinal shows the 
manufacturer of the terminal by a bit string having 
a predetermined range in the identifier. 

35. Invalidated-terminal data that, in order to specify, 
out of a plurality of identifiers that are bit strings hav- 
ing a predetermined number of bits for identifying a 
different one of a plurality of terminals, the identifi- 
ers of one or more terminals to be invalidated, (i) 
has an identifier-specifying field that stores section 
information for specifying a value of a section of a 
bit string having the predetermined number of bits, 
and (ii) generically expresses, by the section infor- 
mation, all identifiers in which a value of the section 
matches the specified value. 

36. An encryption communications system comprising 
an encryption communications device, a plurality of 
terminals that each transmit to the encryption com- 
munications device a key identifier having a prede- 
termined number of bits, and a management device 
that generates invalidated-identifier information 
specifying one or more key identifiers to be invali- 
dated, wherein 

the management device has: 

an invalidated-identifier information generation 
unit operable to generate the invalidated-iden- 
tifier information using a data format that gener- 
ically expresses, by information specifying a 
value of a section in a bit string having the pre- 
determined number of bits, all identifiers in 
which a value of the section matches the spec- 
ified value; and 

an output unit operable to output the generated 
invalidated-identifier information, and 
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the encryption communications device has: 

an acquisition unit operable to acquire the 
invalidated-identifier infomnation outputted 
by the management device; 
an identifier receiving unit operable to re- 
ceive a key identifier transmitted from one 
of the plurality of terminals; 
a judging unit operable to judge whether 
the received key identifier matches any of 
the one or more key identifiers specified by 
the invalidated-identifier information; and 
a communication unit operable, only when 
judged to not be any matches, to conduct 
a predetermined communication with the 
terminal that transmitted the key identifier, 
by performing an encryption relating 
uniquely to the key identifier. 
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FIG. 19 
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